Update Example SSP

[Rene2mt]

This is a ...

improvement - something could be better

This relates to ...

• the FedRAMP OSCAL baselines
• the FedRAMP SSP OSCAL Example
• the FedRAMP SAP OSCAL Example
• the FedRAMP SAR OSCAL Example
• the FedRAMP POA&M OSCAL Example
• the FedRAMP OSCAL Validations
• the Not sure

User Story

As a FedRAMP developer, I want to make sure the sample SSP has the latest content (and any modeling changes), so that the unit test suite and developed constraints are run against valid example SSP content.

Goals

• Merge SSP changes from working branch.
• Run validations on the example SSP and resolve discovered issues

Dependencies

No response

Acceptance Criteria

• All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

Other information

No response

[Rene2mt]

Below is summary of remaining / blocked SSP validation issues

User Role and Type Info

The example SSP has the following remaining user-has-role-id and user-has-user-type validation errors, however, we are considering deprecating these two constraints since the SSP rev5 template has significantly changed the user table.

[ERROR] [/system-security-plan/system-implementation[1]/user[1]] user-has-role-id: A FedRAMP document MUST define a user with at least one role by a role identifier.
[ERROR] [/system-security-plan/system-implementation[1]/user[1]] user-has-user-type: A FedRAMP document MUST define a user with a type.       
[ERROR] [/system-security-plan/system-implementation[1]/user[2]] user-has-role-id: A FedRAMP document MUST define a user with at least one role by a role identifier.
[ERROR] [/system-security-plan/system-implementation[1]/user[2]] user-has-user-type: A FedRAMP document MUST define a user with a type.       
[ERROR] [/system-security-plan/system-implementation[1]/user[3]] user-has-role-id: A FedRAMP document MUST define a user with at least one role by a role identifier.
[ERROR] [/system-security-plan/system-implementation[1]/user[3]] user-has-user-type: A FedRAMP document MUST define a user with a type.       
[ERROR] [/system-security-plan/system-implementation[1]/user[4]] user-has-role-id: A FedRAMP document MUST define a user with at least one role by a role identifier.
[ERROR] [/system-security-plan/system-implementation[1]/user[4]] user-has-user-type: A FedRAMP document MUST define a user with a type.       
[ERROR] [/system-security-plan/system-implementation[1]/user[5]] user-has-role-id: A FedRAMP document MUST define a user with at least one role by a role identifier.
[ERROR] [/system-security-plan/system-implementation[1]/user[5]] user-has-user-type: A FedRAMP document MUST define a user with a type.

Automation team will confirm with review teams if information mapping user -> role is still required. See #902.

Ports & Protocols on Non-Service Components

There are also several errors due to non "service" components providing protocol information.

[ERROR] [/system-security-plan/system-implementation[1]/component[5]] Expect constraint 'not(exists((.)[not(@type='service')]/protocol))' did not match the data at path '/system-security-plan/system-implementation[1]/component[5]'
[ERROR] [/system-security-plan/system-implementation[1]/component[20]] Expect constraint 'not(exists((.)[not(@type='service')]/protocol))' did not match the data at path '/system-security-plan/system-implementation[1]/component[20]'
[ERROR] [/system-security-plan/system-implementation[1]/component[36]] Expect constraint 'not(exists((.)[not(@type='service')]/protocol))' did not match the data at path '/system-security-plan/system-implementation[1]/component[36]'

However, this is because we are using OSCAL v1.1.3. These errors will go away once

1. NIST releases next version of OSCAL (usnistgov/OSCAL@c1374a0 is queued up for next OSCAL release) which will close out OSCAL/issues/2082
2. OSCAL CLI uses the next OSCAL version (e.g. v1.1.4)