GSA · Rene2mt · Nov 25, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 21, 2024
@@ -124,6 +124,8 @@ Examples:
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
   | unique-inventory-item-asset-id |
+  | unique-inventory-item-asset-id |
+  | user-authentication |
   | user-has-authorized-privilege |
   | user-has-privilege-level |
   | user-has-role-id |
@@ -345,6 +347,8 @@ Examples:
   | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
   | unique-inventory-item-asset-id-FAIL.yaml |
   | unique-inventory-item-asset-id-PASS.yaml |
+  | user-authentication-FAIL.yaml |
+  | user-authentication-PASS.yaml |
   | user-has-authorized-privilege-FAIL.yaml |
   | user-has-authorized-privilege-PASS.yaml |
   | user-has-privilege-level-FAIL.yaml |

@@ -319,6 +319,11 @@
       </description>
       <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+        <remarks>
+          <p>Some description of the authentication method.</p>
+        </remarks>
+      </prop>
       <status state="operational"/>
       <responsible-role role-id="system-admin">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000100001" type="system">
+      <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
+      <prop name="implementation-point" value="external"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID">
+        <remarks>
+          <p>If 'yes', describe the authentication method.</p>
+          <p>If 'no', explain why no authentication is used.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop>
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000500002" type="service">
+      <title>Service B</title>
+      <description>
+        <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
+        <p>Describe the service and what it is used for.</p>
+      </description>
+      <prop name="implementation-point" value="external"/>
+      <prop name="direction" value="outgoing"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID">
+        <remarks>
+          <p>If 'yes', describe the authentication method.</p>
+          <p>If 'no', explain why no authentication is used.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop>
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000200001" type="interconnection">
+      <prop name="direction" value="incoming"/>
+      <prop name="direction" value="outgoing"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="nature-of-agreement" value="contract"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID">
+        <remarks>
+          <p>If 'yes', describe the authentication method in the remarks.</p>
+          <p>If 'no', explain why no authentication is used in the remarks.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop>
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000500004" type="service">
+      <title>Service C</title>
+        <description>
+          <p>A service provided by an external system other than the leveraged system.</p>
+          <p>Describe the service and what it is used for.</p>
+        </description>
+        <prop name="implementation-point" value="internal"/>
+        <prop name="direction" value="outgoing"/>
+        <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID">
+          <remarks>
+            <p>If 'yes', describe the authentication method in the remarks.</p>
+            <p>If 'no', explain why no authentication is used in the remarks.</p>
+            <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+          </remarks>
+        </prop>
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000300001" type="software">
+      <title>Management CLI</title>
+      <description>
+        <p>None</p>
+      </description>
+      <prop name="asset-type" value="cli"/>
+      <prop name="implementation-point" value="internal"/>
+      <prop name="direction" value="outgoing"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID">
+        <remarks>
+          <p>If 'yes', describe the authentication method in the remarks.</p>
+          <p>If 'no', explain why no authentication is used in the remarks.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop>
+    </component>
+  </system-implementation>
+</system-security-plan>
@@ -385,6 +385,20 @@
                 <enum value="other">Other</enum>
             </allowed-values>
 
+            <allowed-values id="user-authentication" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]/prop[@ns='https://fedramp.gov/ns/oscal' and @name='authentication-method']/@value" allow-other="no" level="ERROR">
+                <formal-name>User Authentication</formal-name>
+                <description>Identifies if user authentication is required.</description>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
+                <enum value="yes">Yes</enum>
+                <enum value="no">No</enum>
+                <enum value="not-applicable">Not-Applicable</enum>
+                <remarks>
+                    <p>yes: An authentication mechanism exists, and is described in the remarks.</p>
+                    <p>no: An authentication mechanism does not exist, the reason authentication is not necessary is described in the remarks.</p>
+                    <p>not-applicable: The authentication requirement is not applicable, and is described in the remarks.</p>
+                </remarks>
+            </allowed-values>
+
             <allowed-values id="user-privilege-level" target="//user/prop[@ns='https://fedramp.gov/ns/oscal' and @name='privilege-level']/@value" allow-other="no" level="ERROR">
                 <formal-name>Privilege Level</formal-name>
                 <description>The privilege level of the user.</description>

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for user-authentication
+  description: This test case validates the behavior of constraint user-authentication
+  content: ../content/ssp-user-authentication-INVALID.xml
+  expectations:
+    - constraint-id: user-authentication
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for user-authentication
+  description: This test case validates the behavior of constraint user-authentication
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: user-authentication
+      result: pass