has-required-response-points must only check for "statement" response points

[brian-ruf]

Constraint Task

Currently this constraint is checking the SSP for all response points found in the specified FedRAMP baseline, while only some of the response points apply to SSP and others apply to the SAR/Test Case Workbook.

As a result the constraint is incorrectly generating errors because assessment objective response points are not found in the SSP.

When considering the resulting resolved profile catalog for any baseline, only the response points that are children of the //control/item[@name='statement']

Please refer to the targets in the metapath content of issue #1005

Although I think it can be re-written as in the Metapath Content below.

Intended Outcome

Only response points under control statements should be found in the SSP implemented-requirements.
Response points under control objectives should not appear in the SSP and should not cause an error due to their absence.

Syntax Type

This is required core OSCAL syntax.

Allowed Values

There are no relevant allowed values.

Metapath(s) to Content

context="//control/part[@name='statement']"

target=".//prop[@name='response-point' and @ns='http://fedramp.gov/ns/oscal']/../@id`

Purpose of the OSCAL Content

Ensure every control statement flagged with a response-point in the FedRAMP baseline has a corresponding //implemented-requirement/statement in the SSP.

Dependencies

No response

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
  • Explanation is present and accurate
  • sample content is present and accurate
  • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

@wandmagic created PR #1070 to address this.

[JoseGHdz]

I am having the same issue.

[wandmagic]

i believe this is in develop

[Rene2mt]

It looks like this SSP response-point map is targeting correctly and then is used in the has-required-response-point index has key constraint. I think this one may have been updated already.