Warn for misplaced by-component refs for GSA#939

features/fedramp_extensions.feature

@@ -112,6 +112,7 @@ Examples:
   | leveraged-authorization-has-valid-impact-level |
   | leveraged-authorization-nature-of-agreement |
   | marking |
+  | misplaced-response-components |
   | missing-response-components |
   | network-component-has-connection-security-prop |
   | network-component-has-implementation-point |
@@ -334,6 +335,8 @@ Examples:
   | leveraged-authorization-nature-of-agreement-PASS.yaml |
   | marking-FAIL.yaml |
   | marking-PASS.yaml |
+  | misplaced-response-components-FAIL.yaml |
+  | misplaced-response-components-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
   | network-component-has-connection-security-prop-FAIL.yaml |

src/validations/constraints/content/ssp-misplaced-response-components-INVALID.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <component uuid="55555555-0000-4000-9000-000000000005" type="this-system">
+      <title>System To Be Authorized</title>
+      <description>
+        <p>This component reflects the system to be authorized.</p>
+        <p>A proper SSP should reference this correctly within a given statement to document implemented requirements per FedRAMP requirements.</p>
+        <p>This example SSP does not do that, it's invalid and has some problems.</p>
+      </description>
+    </component>  
+  </system-implementation>
+  <control-implementation>
+    <description>
+      <p>Implementation of controls for the System to be Authorized</p>
+    </description>    
+    <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8">
+      <prop name="control-origination" value="unsupported-origination" ns="https://fedramp.gov/ns/oscal"/>
+      <statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c"/>
+      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="ce9c5b13-c9ea-40bb-bd4e-51e1520a4bce">
+          <description>
+            <p>This component reference would be valid if it was within the <code>statement</code> above, but it is not.</p>
+            <p>This constraint violation for the invalid file should warn users and developers repurposing valid syntax for NIST's upstream OSCAL generic use cases is not valid specifically for FedRAMP.</p>
+          </description>        
+      </by-component>
+    </implemented-requirement>
+  </control-implementation>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -166,6 +166,15 @@
     <context>
         <metapath target="/system-security-plan/control-implementation"/>
         <constraints>
+            <expect id="misplaced-response-components" target="implemented-requirement" test="count(./by-component) gt 0" level="WARNING">
+                <formal-name>By-Component Reference for Implemented Requirements Misplaced</formal-name>
+                <message>A FedRAMP SSP MUST identify how the system implements each control requirement implemented at the per-statement level, not in other locations allowed for non-FedRAMP use cases.</message>
+                <remarks>
+                    <p>NIST maintains OSCAL models that allow implemented requirements for controls to have references to the implementing components in multiple locations to support multiple use cases.</p>
+                    <p>Despite the flexibility of NIST's upstream OSCAL models, FedRAMP only accepts OSCAL-based SSP with the reference in one of those locations, see <code>missing-response-components</code> for more details about this requirement.</p>
+                    <p>A constraint violation with this warning indicates a given SSP uses one of the valid locations for all NIST use cases, not the only one FedRA</p>
+                </remarks>
+            </expect>        
             <expect id="missing-response-components" target="implemented-requirement/statement" test="count(./by-component) gt 0" level="ERROR">
                 <formal-name>By-Component Reference for Implemented Requirements Missing</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-overview"/>

src/validations/constraints/unit-tests/misplaced-response-components-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for misplaced-response-components
+  description: >-
+    This test case validates the behavior of constraint
+    misplaced-response-components
+  content: ../content/ssp-misplaced-response-components-INVALID.xml
+  expectations:
+    - constraint-id: misplaced-response-components
+      result: fail

src/validations/constraints/unit-tests/misplaced-response-components-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for misplaced-response-components
+  description: >-
+    This test case validates the behavior of constraint
+    misplaced-response-components
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: misplaced-response-components
+      result: pass