Merge branch 'develop' into 931-connection-security

features/fedramp_extensions.feature

@@ -73,6 +73,7 @@ Examples:
   | has-identity-assurance-level |
   | has-incident-response-plan |
   | has-information-system-contingency-plan |
+  | has-inventory-items |
   | has-network-architecture |
   | has-network-architecture-diagram |
   | has-network-architecture-diagram-caption |
@@ -101,6 +102,10 @@ Examples:
   | inventory-item-allows-authenticated-scan |
   | inventory-item-public |
   | inventory-item-virtual |
+  | leveraged-authorization-has-authorization-type |
+  | leveraged-authorization-has-impact-level |
+  | leveraged-authorization-has-system-identifier |
+  | leveraged-authorization-nature-of-agreement |
   | marking |
   | missing-response-components |
   | party-has-name |
@@ -118,9 +123,13 @@ Examples:
   | role-defined-prepared-by |
   | role-defined-prepared-for |
   | role-defined-system-owner |
+  | saas-has-leveraged-authorization |
   | scan-type |
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
+  | unique-inventory-item-asset-id |
+  | unique-inventory-item-asset-id |
+  | user-authentication |
   | user-has-authorized-privilege |
   | user-has-privilege-level |
   | user-has-role-id |
@@ -298,6 +307,14 @@ Examples:
   | inventory-item-public-PASS.yaml |
   | inventory-item-virtual-FAIL.yaml |
   | inventory-item-virtual-PASS.yaml |
+  | leveraged-authorization-has-authorization-type-FAIL.yaml |
+  | leveraged-authorization-has-authorization-type-PASS.yaml |
+  | leveraged-authorization-has-impact-level-FAIL.yaml |
+  | leveraged-authorization-has-impact-level-PASS.yaml |
+  | leveraged-authorization-has-system-identifier-FAIL.yaml |
+  | leveraged-authorization-has-system-identifier-PASS.yaml |
+  | leveraged-authorization-nature-of-agreement-FAIL.yaml |
+  | leveraged-authorization-nature-of-agreement-PASS.yaml |
   | marking-FAIL.yaml |
   | marking-PASS.yaml |
   | missing-response-components-FAIL.yaml |
@@ -332,6 +349,8 @@ Examples:
   | role-defined-prepared-for-PASS.yaml |
   | role-defined-system-owner-FAIL.yaml |
   | role-defined-system-owner-PASS.yaml |
+  | saas-has-leveraged-authorization-FAIL.yaml |
+  | saas-has-leveraged-authorization-PASS.yaml |
   | scan-type-FAIL.yaml |
   | scan-type-PASS.yaml |
   | security-level-FAIL.yaml |
@@ -340,6 +359,8 @@ Examples:
   | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
   | unique-inventory-item-asset-id-FAIL.yaml |
   | unique-inventory-item-asset-id-PASS.yaml |
+  | user-authentication-FAIL.yaml |
+  | user-authentication-PASS.yaml |
   | user-has-authorized-privilege-FAIL.yaml |
   | user-has-authorized-privilege-PASS.yaml |
   | user-has-privilege-level-FAIL.yaml |

src/validations/constraints/content/ssp-all-VALID.xml

@@ -259,6 +259,21 @@
   </system-characteristics>
 
   <system-implementation>
+
+    <leveraged-authorization uuid="233e0f09-fe5e-47e2-bca3-5f32df75e57a">
+      <title>GovCloud</title>
+      <prop ns="https://fedramp.gov/ns/oscal" name="leveraged-system-identifier" value="F1603047866"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_ssp.xml"/>
+      <party-uuid>f0bc13a4-3303-47dd-80d3-380e159c8362</party-uuid>
+      <date-authorized>2015-01-01</date-authorized>
+      <remarks>
+        <p>Use one leveraged-authorization assembly for each underlying system. In the legacy world, these may be general support systems.</p>
+        <p>The link fields are optional, but preferred when known. Often, a leveraging system's SSP author will not have access to the leveraged system's SSP, but should have access to the leveraged system's CRM.</p>
+      </remarks>
+    </leveraged-authorization>
+
     <user uuid="44444444-0000-4000-9000-000000000004">
       <title>System Administrator</title>
       <prop name="type" value="internal"/>
@@ -270,7 +285,6 @@
         <description><p>admin user</p></description>
         <function-performed>administration</function-performed>
       </authorized-privilege>
-
     </user>
 
     <component uuid="55555555-0000-4000-9000-000000000005" type="this-system">
@@ -287,14 +301,29 @@
         <p>This is the primary application server for the system.</p>
       </remarks>
     </component>
-
+
+    <component uuid="6ac88fd2-7c7b-4357-af2e-f22ccd3ead26" type="system">
+      <title>An External Leveraged System</title>
+      <description>
+        <p>An external leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
+      <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="sla"/>
+      <status state="operational"/>
+    </component>
+
     <component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
       <title>External API Connection</title>
       <description>
         <p>Secure connection to an external API for data enrichment.</p>
       </description>
       <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+        <remarks>
+          <p>Some description of the authentication method.</p>
+        </remarks>
+      </prop>
       <status state="operational"/>
       <responsible-role role-id="system-admin">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>

src/validations/constraints/content/ssp-leveraged-authorization-has-authorization-type-INVALID.xml

@@ -0,0 +1,8 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <leveraged-authorization uuid="5a9c98ab-8e5e-433d-a7bd-515c07cd1497">
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authorization-type" value="fedramp-agency"/> Missing authorization-type -->
+      <date-authorized>2015-01-01</date-authorized>
+    </leveraged-authorization>
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/content/ssp-leveraged-authorization-has-impact-level-INVALID.xml

@@ -0,0 +1,9 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <leveraged-authorization uuid="5a9c98ab-8e5e-433d-a7bd-515c07cd1497">
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/> Missing impact-level -->
+      <party-uuid>f0bc13a4-3303-47dd-80d3-380e159c8362</party-uuid>
+      <date-authorized>2015-01-01</date-authorized>
+    </leveraged-authorization>
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/content/ssp-leveraged-authorization-has-system-identifier-INVALID.xml

@@ -0,0 +1,7 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <leveraged-authorization uuid="5a9c98ab-8e5e-433d-a7bd-515c07cd1497">
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="leveraged-system-identifier" value="F1603047866"/> Missing leveraged-system-identifier -->
+    </leveraged-authorization>
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/content/ssp-leveraged-authorization-nature-of-agreement-INVALID.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <component uuid="6ac88fd2-7c7b-4357-af2e-f22ccd3ead26" type="system">
+      <title>An External Leveraged System</title>
+      <description>
+        <p>An external leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" uuid="233e0f09-fe5e-47e2-bca3-5f32df75e57a" value="contract"/>
+      <prop name="nature-of-agreement" uuid="306e68da-86c3-4c18-b559-e95d85fb71e7" ns="https://fedramp.gov/ns/oscal" value="invalid"/>
+      <status state="operational"/>
+    </component>
+  </system-implementation>
+
+</system-security-plan>

src/validations/constraints/content/ssp-saas-has-leveraged-authorization-INVALID.xml

@@ -0,0 +1,8 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012">
+  <system-characteristics>
+    <prop name="cloud-service-model" value="saas"/>
+  </system-characteristics>
+  <system-implementation>
+    <!-- Missing leveraged authorization -->
+  </system-implementation>
+</system-security-plan>