diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 5c787240b..2be22ee2c 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -38,6 +38,7 @@ Examples: | cia-impact-has-selected | | cloud-service-model | | component-has-authentication-method | + | component-has-diagram-label | | component-has-non-provider-responsible-role | | component-has-provider-responsible-role | | component-has-used-by-link | @@ -125,6 +126,7 @@ Examples: | inventory-item-allows-authenticated-scan | | inventory-item-and-component-has-public | | inventory-item-has-asset-type | + | inventory-item-has-diagram-label | | inventory-item-has-function | | inventory-item-has-scan-type | | inventory-item-has-valid-mac-address | @@ -217,6 +219,8 @@ Examples: | cloud-service-model-PASS.yaml | | component-has-authentication-method-FAIL.yaml | | component-has-authentication-method-PASS.yaml | + | component-has-diagram-label-FAIL.yaml | + | component-has-diagram-label-PASS.yaml | | component-has-non-provider-responsible-role-FAIL.yaml | | component-has-non-provider-responsible-role-PASS.yaml | | component-has-used-by-link-FAIL.yaml | @@ -391,6 +395,8 @@ Examples: | inventory-item-and-component-has-public-PASS.yaml | | inventory-item-has-asset-type-FAIL.yaml | | inventory-item-has-asset-type-PASS.yaml | + | inventory-item-has-diagram-label-FAIL.yaml | + | inventory-item-has-diagram-label-PASS.yaml | | inventory-item-has-function-FAIL.yaml | | inventory-item-has-function-PASS.yaml | | inventory-item-has-scan-type-FAIL.yaml | diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 171d69de9..d7288aa0e 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -1041,6 +1041,7 @@ these datails are derived from other content in this SSP.</p> <p>An authorized service provided by the Awesome Cloud leveraged authorization.</p> <p>Describe the service and what it is used for.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/> <prop name="implementation-point" value="external"/> <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/> @@ -1102,6 +1103,7 @@ leveraged-authorization assembly:</p> <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p> <p>Describe the service and what it is used for.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="implementation-point" value="external"/> <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/> <prop ns="http://fedramp.gov/ns/oscal" name="direction" value="outgoing"/> @@ -1197,6 +1199,7 @@ leveraged-authorization assembly:</p> <description> <p>An external system to which this system shares an interconnection.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="implementation-point" value="external"/> <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/> <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/> @@ -1285,6 +1288,7 @@ and "system-poc-technical"</p> <p>Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="implementation-point" value="external"/> <prop ns="http://fedramp.gov/ns/oscal" name="direction" value="incoming"/> <prop ns="http://fedramp.gov/ns/oscal" name="direction" value="outgoing"/> @@ -1430,6 +1434,7 @@ here.</p> <p>A service provided by an external system other than the leveraged system.</p> <p>Describe the service and what it is used for.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="implementation-point" value="external"/> <!--<prop name="direction" value="outgoing"/>--> <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/> @@ -1521,7 +1526,7 @@ leveraged-authorization assembly:</p> <p>A service provided by an external system other than the leveraged system.</p> <p>Describe the service and what it is used for.</p> </description> - + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="implementation-point" value="internal"/> <prop name="public" value="no"/> <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/> @@ -1598,6 +1603,7 @@ property.</p> <description> <p>None</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-type" value="cli"/> <prop name="implementation-point" value="internal"/> <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/> @@ -1741,6 +1747,7 @@ compliance (e.g., Module in Process).</p> <description> <p>FUNCTION: Describe typical component function.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-type" value="operating-system"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> <prop name="vendor-name" value="Vendor Name"/> @@ -1762,6 +1769,7 @@ compliance (e.g., Module in Process).</p> <description> <p>FUNCTION: Describe typical component function.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-type" value="operating-system"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> <prop name="vendor-name" value="Vendor Name"/> @@ -1783,6 +1791,7 @@ compliance (e.g., Module in Process).</p> <description> <p>FUNCTION: This container image is the base operating system used in the example. A notional CSP, like Awesome Cloud, would update and customize this image for business, reliability, and security needs.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-type" value="image"/> <prop name="checksum" ns="http://fedramp.gov/ns/oscal" value="504931a74cb58330cafb9f59f5e553af3cc63af205dc955f7f80dc981276def0"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> @@ -1808,6 +1817,7 @@ compliance (e.g., Module in Process).</p> <description> <p>FUNCTION: Describe typical component function.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-type" value="database"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/> @@ -1830,6 +1840,7 @@ compliance (e.g., Module in Process).</p> <description> <p>None</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-type" value="operating-system"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> <prop name="baseline-configuration-name" value="Baseline Config. Name"/> @@ -1841,6 +1852,7 @@ compliance (e.g., Module in Process).</p> <description> <p>None</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/> <prop name="implementation-point" value="external"/> <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/> @@ -1886,6 +1898,7 @@ compliance (e.g., Module in Process).</p> <description> <p>None</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-type" value="appliance"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="web"/> <prop ns="http://fedramp.gov/ns/oscal" name="login-url" value="https://admin.offering.com/login"/> @@ -2268,6 +2281,7 @@ approved.</p> <description> <p>Email Service</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/> <prop name="implementation-point" value="external"/> <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/> @@ -2310,6 +2324,7 @@ approved.</p> <description> <p>Legacy Example (No implemented-component).</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-id" value="unique-asset-ID-01"/> <prop name="ipv4-address" value="10.1.1.1"/> <prop name="ipv6-address" value="2001:db8:3333:4444:5555:6666:7777:8888"/> @@ -2364,6 +2379,7 @@ approved.</p> <description> <p>Component Inventory Example</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-id" value="unique-asset-ID-02"/> <prop name="ipv4-address" value="10.2.2.2"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a02:0202"/> @@ -2407,6 +2423,7 @@ approved.</p> <description> <p>None.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-id" value="unique-asset-ID-03"/> <prop name="asset-type" value="web-server"/> <prop name="virtual" value="yes"/> @@ -2429,6 +2446,7 @@ approved.</p> <description> <p>None.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-id" value="unique-asset-ID-04"/> <prop name="asset-type" value="appliance"/> <prop name="virtual" value="yes"/> @@ -2446,6 +2464,7 @@ approved.</p> <description> <p>None.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-id" value="unique-asset-ID-05"/> <prop name="asset-type" value="firewall"/> <prop name="ipv4-address" value="10.5.5.5"/> @@ -2467,6 +2486,7 @@ approved.</p> <description> <p>None.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-id" value="unique-asset-ID-06"/> <prop name="ipv4-address" value="10.6.6.6"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a06:0606"/> @@ -2492,6 +2512,7 @@ approved.</p> <description> <p>None.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-id" value="unique-asset-ID-07"/> <prop name="asset-type" value="switch"/> <prop name="ipv4-address" value="10.7.7.7"/> @@ -2512,6 +2533,7 @@ approved.</p> <description> <p>None.</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-id" value="unique-asset-ID-08"/> <prop name="asset-type" value="web-server"/> <prop name="ipv4-address" value="10.8.8.8"/> @@ -2536,6 +2558,7 @@ approved.</p> <description> <p>Email-Service</p> </description> + <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> <prop name="asset-id" value="unique-asset-ID-09"/> <prop name="asset-type" value="email-server"/> <prop name="ipv4-address" value="10.10.10.100"/> diff --git a/src/validations/constraints/content/ssp-component-has-diagram-label-INVALID.xml b/src/validations/constraints/content/ssp-component-has-diagram-label-INVALID.xml new file mode 100644 index 000000000..e520c8ddd --- /dev/null +++ b/src/validations/constraints/content/ssp-component-has-diagram-label-INVALID.xml @@ -0,0 +1,10 @@ +<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000"> + <system-implementation> + <component uuid="11111111-2222-4000-8000-009000000007" type="hardware"> + <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. --> + </component> + <inventory-item uuid="11111111-2222-4000-8000-011000000001"> + <implemented-component component-uuid="11111111-2222-4000-8000-009000000005"/> + </inventory-item> + </system-implementation> +</system-security-plan> \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-inventory-item-has-diagram-label-INVALID.xml b/src/validations/constraints/content/ssp-inventory-item-has-diagram-label-INVALID.xml new file mode 100644 index 000000000..0c145ab13 --- /dev/null +++ b/src/validations/constraints/content/ssp-inventory-item-has-diagram-label-INVALID.xml @@ -0,0 +1,10 @@ +<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000"> + <system-implementation> + <component uuid="11111111-2222-4000-8000-009000000007" type="process-procedure"> + <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. --> + </component> + <inventory-item uuid="11111111-2222-4000-8000-011000000001"> + <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. --> + </inventory-item> + </system-implementation> +</system-security-plan> \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index 4e2013a05..da15f9c66 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -61,6 +61,7 @@ <enum value="privacy-impact-assessment">Privacy Impact Assessment</enum> <enum value="information-system-contingency-plan">Information System Contingency Plan</enum> <enum value="configuration-management-plan">configuration-management-plan</enum> + <enum value="fedramp-poam">A Plan of Action and Milestones represented either using the FedRAMP template or FedRAMP-compliant OSCAL.</enum> <remarks> <p>Not all values apply to all FedRAMP artifacts.</p> </remarks> @@ -100,6 +101,8 @@ <enum value="this-system">The system as a whole.</enum> <enum value="system">An external system, which may be a leveraged system or the other side of an interconnection.</enum> <enum value="network">A physical or virtual network.</enum> + <enum value="client">A client that may use a service.</enum> + <enum value="connection">A logical connection between two or more network nodes.</enum> </allowed-values> <allowed-values id="connection-security" target="system-implementation/component/prop[@name='connection-security' and @ns='http://fedramp.gov/ns/oscal']/@value" allow-other="yes" level="WARNING"> diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index c47ab8ccb..4db7d59cc 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -586,11 +586,17 @@ <metapath target="/system-security-plan/system-implementation"/> <constraints> <let var="inter-boundary-component" expression="component[(@type=('service','software') and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type=('service','software') and prop[@name='implementation-point' and @value='internal'] and (prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']))]"/> + <let var="inventory-linked-component-uuids" expression="inventory-item/implemented-component/@component-uuid"/> <expect id="authentication-method-has-remarks" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal']) = count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal']/remarks)" level="ERROR"> <formal-name>Authentication Method Has Remarks</formal-name> <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/> <message>Each authentication method in a FedRAMP SSP MUST have a remarks field.</message> </expect> + <expect id="component-has-diagram-label" target="component[not(@uuid=$inventory-linked-component-uuids) and @type=('hardware', 'software', 'service', 'interconnection')]" test="count(prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR"> + <formal-name>Component Has Diagram Label</formal-name> + <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> + <message>In a FedRAMP SSP, each hardware, software, service, and interconnection component MUST include the diagram label.</message> + </expect> <expect id="component-has-used-by-link" target="component[protocol]" test="count(link[@rel='used-by']) >= 1" level="ERROR"> <formal-name>Component Has Used-By Link</formal-name> <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/> @@ -693,6 +699,11 @@ <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> <message>In a FedRAMP SSP, each inventory item MUST define the asset type either in the inventory item itself or within the linked component.</message> </expect> + <expect id="inventory-item-has-diagram-label" target="." test="count(prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR"> + <formal-name>Inventory Item Has Diagram Label</formal-name> + <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> + <message>In a FedRAMP SSP, each inventory item MUST include the diagram label either in the inventory item itself or within the linked component.</message> + </expect> <expect id="inventory-item-has-function" target="." test="exists(prop[@name='function']/remarks) or exists($implemented-component/prop[@name='function']/remarks)" level="ERROR"> <formal-name>Inventory Item Has Function</formal-name> <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> @@ -713,11 +724,11 @@ <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> <message>In a FedRAMP SSP, each inventory item MUST include the vendor name in the inventory item itself or within the linked component.</message> </expect> -<expect id="scan-type-has-remarks" target="..//prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other','not-applicable')]" test="exists(remarks)" level="ERROR"> - <formal-name>Scan Type Has Remarks</formal-name> - <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> - <message>When scan-type is 'other' or 'not-applicable', remarks MUST be provided to explain the selection.</message> -</expect> + <expect id="scan-type-has-remarks" target="..//prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other','not-applicable')]" test="exists(remarks)" level="ERROR"> + <formal-name>Scan Type Has Remarks</formal-name> + <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> + <message>When scan-type is 'other' or 'not-applicable', remarks MUST be provided to explain the selection.</message> + </expect> </constraints> </context> diff --git a/src/validations/constraints/unit-tests/component-has-diagram-label-FAIL.yaml b/src/validations/constraints/unit-tests/component-has-diagram-label-FAIL.yaml new file mode 100644 index 000000000..22e0e083d --- /dev/null +++ b/src/validations/constraints/unit-tests/component-has-diagram-label-FAIL.yaml @@ -0,0 +1,9 @@ +test-case: + name: Negative Test for component-has-diagram-label + description: >- + This test case validates the behavior of constraint + component-has-diagram-label + content: ../content/ssp-component-has-diagram-label-INVALID.xml + expectations: + - constraint-id: component-has-diagram-label + result: fail diff --git a/src/validations/constraints/unit-tests/component-has-diagram-label-PASS.yaml b/src/validations/constraints/unit-tests/component-has-diagram-label-PASS.yaml new file mode 100644 index 000000000..1304aaf79 --- /dev/null +++ b/src/validations/constraints/unit-tests/component-has-diagram-label-PASS.yaml @@ -0,0 +1,9 @@ +test-case: + name: Positive Test for component-has-diagram-label + description: >- + This test case validates the behavior of constraint + component-has-diagram-label + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: component-has-diagram-label + result: pass diff --git a/src/validations/constraints/unit-tests/inventory-item-has-diagram-label-FAIL.yaml b/src/validations/constraints/unit-tests/inventory-item-has-diagram-label-FAIL.yaml new file mode 100644 index 000000000..76254972d --- /dev/null +++ b/src/validations/constraints/unit-tests/inventory-item-has-diagram-label-FAIL.yaml @@ -0,0 +1,9 @@ +test-case: + name: Negative Test for inventory-item-has-diagram-label + description: >- + This test case validates the behavior of constraint + inventory-item-has-diagram-label + content: ../content/ssp-inventory-item-has-diagram-label-INVALID.xml + expectations: + - constraint-id: inventory-item-has-diagram-label + result: fail diff --git a/src/validations/constraints/unit-tests/inventory-item-has-diagram-label-PASS.yaml b/src/validations/constraints/unit-tests/inventory-item-has-diagram-label-PASS.yaml new file mode 100644 index 000000000..f79ec3287 --- /dev/null +++ b/src/validations/constraints/unit-tests/inventory-item-has-diagram-label-PASS.yaml @@ -0,0 +1,9 @@ +test-case: + name: Positive Test for inventory-item-has-diagram-label + description: >- + This test case validates the behavior of constraint + inventory-item-has-diagram-label + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: inventory-item-has-diagram-label + result: pass