Add system-characteristics 'cia-has' and 'has-system-name-short' cons…

…traints (#689)

* Added system-characteristics 'cia-impact' and 'has-system-name-short' constraints and tests

* rephrase for clarity

* Create separate invalid tests

* Add more detailed test descriptions

* Adjust ssp-all-VALID.xml to have valid security levels

* Cleanup metapath

* Add help-url props

* Capitalize things

* add n

features/fedramp_extensions.feature

@@ -25,6 +25,10 @@ Examples:
   | categorization-has-correct-system-attribute-PASS.yaml |
   | categorization-has-information-type-id-FAIL.yaml |
   | categorization-has-information-type-id-PASS.yaml |
+  | cia-impact-has-adjustment-justification-FAIL.yaml |
+  | cia-impact-has-adjustment-justification-PASS.yaml |
+  | cia-impact-has-selected-FAIL.yaml |
+  | cia-impact-has-selected-PASS.yaml |
   | cloud-service-model-FAIL.yaml |
   | cloud-service-model-PASS.yaml |
   | component-type-FAIL.yaml |
@@ -111,6 +115,8 @@ Examples:
   | has-separation-of-duties-matrix-PASS.yaml |
   | has-system-id-FAIL.yaml |
   | has-system-id-PASS.yaml |
+  | has-system-name-short-FAIL.yaml |
+  | has-system-name-short-PASS.yaml |
   | has-user-guide-FAIL.yaml |
   | has-user-guide-PASS.yaml |
   | import-profile-has-href-attribute-FAIL.yaml |
@@ -183,6 +189,8 @@ Examples:
   | authorization-type |
   | categorization-has-correct-system-attribute |
   | categorization-has-information-type-id |
+  | cia-impact-has-adjustment-justification |
+  | cia-impact-has-selected |
   | cloud-service-model |
   | component-type |
   | control-implementation-status |
@@ -226,6 +234,7 @@ Examples:
   | has-security-sensitivity-level |
   | has-separation-of-duties-matrix |
   | has-system-id |
+  | has-system-name-short |
   | has-user-guide |
   | import-profile-has-href-attribute |
   | import-profile-has-valid-content |

src/validations/constraints/content/ssp-all-VALID.xml

@@ -114,6 +114,7 @@
   <system-characteristics>
     <system-id identifier-type="https://fedramp.gov">F00000001</system-id>
     <system-name>Enhanced Example System</system-name>
+    <system-name-short>System's Short Name or Acronym</system-name-short>
     <description>
       <p>This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.</p>
     </description>
@@ -135,12 +136,22 @@
         </categorization>
         <confidentiality-impact>
           <base>fips-199-high</base>
+          <selected>fips-199-high</selected>
+          <!-- adjustment-justification removed to ensure cia-impact-has-adjustment-justification passes when base and selected have the same impact level -->
         </confidentiality-impact>
         <integrity-impact>
           <base>fips-199-moderate</base>
+          <selected>fips-199-low</selected>
+          <adjustment-justification>
+            <p>Required if the base and selected values do not match.</p>
+          </adjustment-justification>
         </integrity-impact>
         <availability-impact>
-          <base>fips-199-low</base>
+          <base>fips-199-high</base>
+          <selected>fips-199-low</selected>
+          <adjustment-justification>
+            <p>Required if the base and selected values do not match.</p>
+          </adjustment-justification>
         </availability-impact>
       </information-type>
     </system-information>

src/validations/constraints/content/ssp-cia-impact-has-adjustment-justification-INVALID.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-characteristics>
+    <system-information>
+      <information-type  uuid="33333333-0000-4000-9000-000000000003">
+        <confidentiality-impact>
+          <base>high</base>
+          <selected>low</selected>
+          <!-- adjustment-justification removed to ensure cia-impact-has-adjustment-justification passes when base and selected have the same impact level -->
+        </confidentiality-impact>
+        <integrity-impact>
+          <base>moderate</base>
+          <selected>fips-199-moderate</selected>
+        </integrity-impact>
+        <availability-impact>
+          <base>low</base>
+               <selected>fips-199-low</selected>
+        </availability-impact>
+      </information-type>
+    </system-information>
+  </system-characteristics>
+</system-security-plan>

src/validations/constraints/content/ssp-cia-impact-has-selected-INVALID.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-characteristics>
+    <system-information>
+      <information-type  uuid="33333333-0000-4000-9000-000000000003">
+        <confidentiality-impact>
+          <base>high</base>
+        </confidentiality-impact>
+        <integrity-impact>
+          <base>moderate</base>
+               <adjustment-justification>
+                  <p>Required if the base and selected values do not match.</p>
+               </adjustment-justification>
+        </integrity-impact>
+        <availability-impact>
+          <base>low</base>
+               <adjustment-justification>
+                  <p>Required if the base and selected values do not match.</p>
+               </adjustment-justification>
+        </availability-impact>
+      </information-type>
+    </system-information>
+  </system-characteristics>
+</system-security-plan>

src/validations/constraints/content/ssp-has-system-name-short-INVALID.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-characteristics>
+  </system-characteristics>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -194,6 +194,18 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
                 <message>A FedRAMP SSP information type MUST have an availability impact.</message>
             </expect>
+            <expect id="cia-impact-has-selected" target="system-characteristics/system-information/information-type/(confidentiality-impact | integrity-impact | availability-impact)" test="selected" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
+                <message>A FedRAMP SSP information type confidentiality, integrity, or availability impact MUST specify the selected impact.</message>
+            </expect>
+            <expect id="cia-impact-has-adjustment-justification" target="system-characteristics/system-information/information-type/(confidentiality-impact | integrity-impact | availability-impact)" test="if (base ne selected) then exists(adjustment-justification) else true()" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
+                <message>When SP 800-60 base and selected impacts levels differ for a given information type, the SSP MUST include a justification for the difference.</message>
+            </expect>
+            <expect id="has-system-name-short" target="system-characteristics" test="system-name-short" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier"/>
+                <message>A FedRAMP SSP MUST have a short system name.</message>
+            </expect>
         </constraints>
     </context>
     <context>

src/validations/constraints/unit-tests/cia-impact-has-adjustment-justification-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for cia-impact-has-adjustment-justification
+  description: Test that if an SSP system-characteristics system-information information-type (confidentiality-impact/integrity-impact/availability-impact) base element is not equal to the selected element, then an adjustment-justification element doesn't exist. This test shouldn't return true because the invalid test data should only include the fail case.
+  content: ../content/ssp-cia-impact-has-adjustment-justification-INVALID.xml
+  expectations:
+    - constraint-id: cia-impact-has-adjustment-justification
+      result: fail

src/validations/constraints/unit-tests/cia-impact-has-adjustment-justification-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for cia-impact-has-adjustment-justification
+  description: Test that if an SSP system-characteristics system-information information-type (confidentiality-impact/integrity-impact/availability-impact) base element is not equal to the selected element, then an adjustment-justification element exists. If the base element equals the selected element, then it returns true.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: cia-impact-has-adjustment-justification
+      result: pass

src/validations/constraints/unit-tests/cia-impact-has-selected-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for cia-impact-has-selected
+  description: Test that an SSP system-characteristics system-information information-type (confidentiality-impact/integrity-impact/availability-impact) element does not have a selected element.
+  content: ../content/ssp-cia-impact-has-selected-INVALID.xml
+  expectations:
+    - constraint-id: cia-impact-has-selected
+      result: fail

src/validations/constraints/unit-tests/cia-impact-has-selected-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for cia-impact-has-selected
+  description: Test that an SSP system-characteristics system-information information-type (confidentiality-impact/integrity-impact/availability-impact) element has selected element.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: cia-impact-has-selected
+      result: pass

src/validations/constraints/unit-tests/has-system-name-short-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-system-name-short
+  description: Test that an SSP system-characteristics element does not have a system-name-short element.
+  content: ../content/ssp-has-system-name-short-INVALID.xml
+  expectations:
+    - constraint-id: has-system-name-short
+      result: fail

src/validations/constraints/unit-tests/has-system-name-short-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-system-name-short
+  description: Test that an SSP system-characteristics element has a system-name-short element.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-system-name-short
+      result: pass