Fix security-sensitivity-level-matches-security-impact-level

[brian-ruf]

Constraint Task

The security-sensitivity-level-matches-security-impact-level constraint is not working correctly. It reports the following error, even though the stated reason is not correct:
A FedRAMP SSP SHOULD define its FIPS-199 security sensitivity level to match the highest security impact level for the system's confidentiality, integrity, and availability objectives.

The example SSP currently has a security-sensitivity-level of fips-199-high, while all three security-impact-level values are fips-199-moderate

Further, upon inspection it appears the constraint is only checking for equality, which is incorrect.

Current Data Incorrectly Triggering the Error

    <security-sensitivity-level>fips-199-high</security-sensitivity-level>
   <!-- cut: system-information -->
    <security-impact-level>
      <security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
      <security-objective-integrity>fips-199-moderate</security-objective-integrity>
      <security-objective-availability>fips-199-moderate</security-objective-availability>
    </security-impact-level>

Intended Outcome

Among the possible values of fips-199-low, fips-199-moderate and fips-199-high for security-sensitivity-level and the three security-impact-level objectives, the security sensitivity level must be as high or higher than the highest security impact level/objective.

EDIT (Adding): This should be an ERROR. Not a Warning.

Syntax Type

This is required core OSCAL syntax.

Allowed Values

There are no relevant allowed values.

Metapath(s) to Content

//system-characteristics/security-sensitivity-level

//system-characteristics/security-impact-level/security-objective-confidentiality
//system-characteristics/security-impact-level/security-objective-integrity
//system-characteristics/security-impact-level/security-objective-availability

Purpose of the OSCAL Content

FedRAMP requires that the sensitivity level of the system is determined by the "high water mark" of the security impact levels.

Dependencies

No response

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
  • Explanation is present and accurate
  • sample content is present and accurate
  • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

No response

[brian-ruf]

Also, this should raise an ERROR. Not a warning.