diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index a565fcd05..2417d4537 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -3,22 +3,8 @@
     <!-- ================== -->
     <!-- FedRAMP Extensions -->
     <!-- ================== -->
-    <context>
-        <metapath target="/catalog//control"/>
-        <metapath target="/assessment-plan/local-definitions/objectives-and-methods"/>
-        <metapath target="/assessment-results/local-definitions/objectives-and-methods"/>
-        <constraints>
-            <expect id="prop-response-point-has-cardinality-one" target=".//part" test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='response-point']) &lt;= 1">
-                <message>Duplicate response point at '{ path(.) }'.</message>
-            </expect>
-            <remarks>
-                <p>This appears in FedRAMP profiles and resolved profile catalogs.</p>
-                <p>For control statements, it signals to the CSP which statements require a response in the SSP.</p>
-                <p>For control objectives, it signals to the assessor which control objectives must appear in the assessment results, which aligns with the FedRAMP test case workbook.</p>
-             </remarks>
-        </constraints>
-    </context>
-    <context>
+
+        <context>
         <metapath target="//metadata"/>
         <constraints>
             <expect id="fedramp-version" target="." test="prop[@name='fedramp-version'][@ns='https://fedramp.gov/ns/oscal']">
@@ -31,43 +17,49 @@
             </expect>
         </constraints>
     </context>
-    <context>
-        <metapath target="/system-security-plan/metadata/location"/>
-        <constraints>
-            <expect id="data-center-country-code" target="." test="count(address/country) eq 1">
-                <message>Each data center address must contain a country code.</message>
-            </expect>
-            <expect id="data-center-US" target="." test="address/country eq 'US'">
-                <message>Each data center must have an address that is within the United States.</message>
-            </expect>
-        </constraints>
-    </context>
+
     <context>
         <metapath target="//user"/>
         <constraints>
-
-            <expect id="user-has-user-type" target="." test="count(prop[@name='type']) = 1">
+            <expect id="user-has-authorized-privilege" target="." test="count(authorized-privilege) gt 0">
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
-                <message>A FedRAMP document MUST define a user with a type.</message>
+                <message>A FedRAMP document MUST define a user with at least one authorized privilege by a privilege identifier.</message>
             </expect>
             <expect id="user-has-privilege-level" target="." test="count(prop[@name='privilege-level'][@ns='https://fedramp.gov/ns/oscal']) = 1">
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
                 <message>A FedRAMP document MUST define a user with a privilege for their use of the system.</message>
             </expect>
+            <expect id="user-has-role-id" target="." test="count(role-id) gt 0">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
+                <message>A FedRAMP document MUST define a user with at least one role by a role identifier.</message>
+            </expect>
             <expect id="user-has-sensitivity-level" target="." test="count(prop[@name='sensitivity']) = 1">
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
                 <message>A FedRAMP document MUST define a user with a sensitivity level of their use of the system.</message>
             </expect>
-            <expect id="user-has-role-id" target="." test="count(role-id) gt 0">
+            <expect id="user-has-user-type" target="." test="count(prop[@name='type']) = 1">
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
-                <message>A FedRAMP document MUST define a user with at least one role by a role identifier.</message>
+                <message>A FedRAMP document MUST define a user with a type.</message>
             </expect>
-            <expect id="user-has-authorized-privilege" target="." test="count(authorized-privilege) gt 0">
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
-                <message>A FedRAMP document MUST define a user with at least one authorized privilege by a privilege identifier.</message>
+        </constraints>
+    </context>
+
+    <context>
+        <metapath target="/catalog//control"/>
+        <metapath target="/assessment-plan/local-definitions/objectives-and-methods"/>
+        <metapath target="/assessment-results/local-definitions/objectives-and-methods"/>
+        <constraints>
+            <expect id="prop-response-point-has-cardinality-one" target=".//part" test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='response-point']) &lt;= 1">
+                <message>Duplicate response point at '{ path(.) }'.</message>
             </expect>
+            <remarks>
+                <p>This appears in FedRAMP profiles and resolved profile catalogs.</p>
+                <p>For control statements, it signals to the CSP which statements require a response in the SSP.</p>
+                <p>For control objectives, it signals to the assessor which control objectives must appear in the assessment results, which aligns with the FedRAMP test case workbook.</p>
+             </remarks>
         </constraints>
     </context>
+
     <context>
         <metapath target="/system-security-plan"/>
         <constraints>
@@ -79,126 +71,160 @@
                 else if (//security-impact-level//* = 'fips-199-moderate')
                     then ('fips-199-moderate')
                 else ('fips-199-low')"/>
-            <expect id="resource-has-title" target="back-matter/resource" test="title" level="WARNING">
-                <message>Every supporting artifact found in a citation should have a title.</message>
-            </expect>
-            <expect id="resource-has-base64-or-rlink" target="back-matter/resource" test="count(./rlink) >= 1 or count(./base64) >= 1" level="WARNING">
-                <message>Every supporting artifact found in a citation must have at least one base64 or rlink element.</message>
-            </expect>
-            <expect id="has-user-guide" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'users-guide']]" level="ERROR">
-                <message>A FedRAMP SSP must have a User Guide attached.</message>
-            </expect>
-            <expect id="has-rules-of-behavior" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'rules-of-behavior']]" level="ERROR">
-                <message>A FedRAMP SSP must have Rules of Behavior.</message>
-            </expect>
-            <expect id="has-information-system-contingency-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'information-system-contingency-plan']]" level="ERROR">
-                <message>A FedRAMP SSP must have a Contingency Plan attached.</message>
-            </expect>
-            <expect id="has-configuration-management-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'configuration-management-plan']]" level="ERROR">
-                <message>A FedRAMP SSP must have a Configuration Management Plan attached.</message>
-            </expect>
-            <expect id="has-incident-response-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'incident-response-plan']]" level="ERROR">
-                <message>A FedRAMP SSP must have an Incident Response Plan attached.</message>
-            </expect>
-            <expect id="has-separation-of-duties-matrix" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'separation-of-duties-matrix']]" level="ERROR">
-                <message>A FedRAMP SSP must have a Separation of Duties Matrix attached.</message>
-            </expect>
             <expect id="categorization-has-correct-system-attribute" target="system-characteristics/system-information/information-type/categorization" test="@system eq 'https://doi.org/10.6028/NIST.SP.800-60v2r1'" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
                 <message>A FedRAMP SSP information-type categorization requires a correct system attribute. FedRAMP only supports the system value 'https://doi.org/10.6028/NIST.SP.800-60v2r1'.</message>
             </expect>
             <expect id="categorization-has-information-type-id" target="system-characteristics/system-information/information-type/categorization" test="information-type-id" level="ERROR">
-                <message>A FedRAMP SSP information type categorization must have at least one information type identifier.</message>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
+                <message>A FedRAMP SSP information type categorization MUST have at least one information type identifier.</message>
             </expect>
-            <expect id="has-identity-assurance-level" target="system-characteristics" test="exists(prop[@name eq 'identity-assurance-level'])" level="ERROR">
-                <message>A FedRAMP SSP must define its NIST SP 800-63 identity assurance level (IAL).</message>
+            <expect id="cia-impact-has-adjustment-justification" target="system-characteristics/system-information/information-type/(confidentiality-impact | integrity-impact | availability-impact)" test="if (base ne selected) then exists(adjustment-justification) else true()" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
+                <message>When SP 800-60 base and selected impacts levels differ for a given information type, the SSP MUST include a justification for the difference.</message>
             </expect>
-            <expect id="has-authenticator-assurance-level" target="system-characteristics" test="exists(prop[@name eq 'authenticator-assurance-level'])" level="ERROR">
-                <message>A FedRAMP SSP must define its NIST SP 800-63 authenticator assurance level (AAL).</message>
+            <expect id="cia-impact-has-selected" target="system-characteristics/system-information/information-type/(confidentiality-impact | integrity-impact | availability-impact)" test="selected" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
+                <message>A FedRAMP SSP information type confidentiality, integrity, or availability impact MUST specify the selected impact.</message>
             </expect>
-            <expect id="has-federation-assurance-level" target="system-characteristics" test="exists(prop[@name eq 'federation-assurance-level'])" level="ERROR">
-                <message>A FedRAMP SSP must define its NIST SP 800-63 federation assurance level (FAL).</message>
+            <expect id="has-authenticator-assurance-level" target="system-characteristics" test="exists(prop[@name eq 'authenticator-assurance-level'])" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#digital-identity-level-dil-determination"/>
+                <message>A FedRAMP SSP MUST define its NIST SP 800-63 authenticator assurance level (AAL).</message>
             </expect>
             <expect id="has-authorization-boundary-diagram" target="system-characteristics/authorization-boundary" test="diagram" level="WARNING">
-                <message>A FedRAMP SSP must have at least one authorization boundary diagram.</message>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
+                <message>A FedRAMP SSP MUST have at least one authorization boundary diagram.</message>
+            </expect>
+            <expect id="has-authorization-boundary-diagram-caption" target="system-characteristics/authorization-boundary/diagram" test="caption" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
+                <message>Each FedRAMP SSP authorization boundary diagram MUST have a caption.</message>
             </expect>
             <expect id="has-authorization-boundary-diagram-description" target="system-characteristics/authorization-boundary/diagram" test="description" level="ERROR">
-                <message>A FedRAMP SSP document authorization boundary diagram must have a description.</message>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
+                <message>A FedRAMP SSP document authorization boundary diagram MUST have a description.</message>
             </expect>
             <expect id="has-authorization-boundary-diagram-link" target="system-characteristics/authorization-boundary/diagram" test="link" level="ERROR">
-                <message>Each FedRAMP SSP authorization boundary diagram must have a link.</message>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
+                <message>Each FedRAMP SSP authorization boundary diagram MUST have a link.</message>
             </expect>
             <expect id="has-authorization-boundary-diagram-link-rel" target="system-characteristics/authorization-boundary/diagram/link" test="@rel" level="ERROR">
-                <message>Each FedRAMP SSP authorization boundary diagram must have a link rel attribute.</message>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
+                <message>Each FedRAMP SSP authorization boundary diagram MUST have a link rel attribute.</message>
             </expect>
             <expect id="has-authorization-boundary-diagram-link-rel-allowed-value" target="system-characteristics/authorization-boundary/diagram/link" test="@rel eq 'diagram'" level="ERROR">
-                <message>Each FedRAMP SSP authorization boundary diagram must have a link rel attribute with the value "diagram".</message>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
+                <message>Each FedRAMP SSP authorization boundary diagram MUST have a link rel attribute with the value "diagram".</message>
             </expect>
-            <expect id="has-authorization-boundary-diagram-caption" target="system-characteristics/authorization-boundary/diagram" test="caption" level="ERROR">
-                <message>Each FedRAMP SSP authorization boundary diagram must have a caption.</message>
+            <expect id="has-configuration-management-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'configuration-management-plan']]" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
+                <message>A FedRAMP SSP MUST have a Configuration Management Plan attached.</message>
             </expect>
-            <expect id="has-network-architecture" target="system-characteristics" test="network-architecture" level="ERROR">
-                <message>A FedRAMP SSP must include a network architecture.</message>
+            <expect id="has-data-flow" target="system-characteristics" test="data-flow" level="WARNING">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
+                <message>A FedRAMP SSP MUST include a data flow section.</message>
             </expect>
-            <expect id="has-network-architecture-diagram" target="system-characteristics/network-architecture" test="diagram" level="WARNING">
-                <message>A FedRAMP SSP must have at least one network architecture diagram.</message>
+            <expect id="has-data-flow-description" target="system-characteristics/data-flow" test="description" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
+                <message>An OSCAL SSP document with a data flow MUST have a description.</message>
             </expect>
-            <expect id="has-network-architecture-diagram-description" target="system-characteristics/network-architecture/diagram" test="description" level="ERROR">
-                <message>Each FedRAMP SSP network architecture diagram must have a description.</message>
+            <expect id="has-data-flow-diagram" target="system-characteristics/data-flow" test="diagram" level="WARNING">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
+                <message>A FedRAMP SSP MUST have at least one data flow diagram.</message>
             </expect>
-            <expect id="has-network-architecture-diagram-link" target="system-characteristics/network-architecture/diagram" test="link" level="ERROR">
-                <message>Each FedRAMP SSP network architecture diagram must have a link.</message>
+            <expect id="has-data-flow-diagram-caption" target="system-characteristics/data-flow/diagram" test="caption" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
+                <message>Each FedRAMP SSP data flow diagram MUST have a caption.</message>
             </expect>
-            <expect id="has-network-architecture-diagram-caption" target="system-characteristics/network-architecture/diagram" test="caption" level="ERROR">
-                <message>Each FedRAMP SSP network architecture diagram must have a caption.</message>
+            <expect id="has-data-flow-diagram-description" target="system-characteristics/data-flow/diagram" test="description" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
+                <message>Each FedRAMP SSP data flow diagram MUST have a description.</message>
             </expect>
-            <expect id="has-network-architecture-diagram-link-rel" target="system-characteristics/network-architecture/diagram/link" test="@rel" level="ERROR">
-                <message>Each FedRAMP SSP network architecture diagram must have a link rel attribute.</message>
+            <expect id="has-data-flow-diagram-link" target="system-characteristics/data-flow/diagram" test="link" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
+                <message>Each FedRAMP SSP data flow diagram MUST have a link.</message>
             </expect>
-            <expect id="has-network-architecture-diagram-link-rel-allowed-value" target="system-characteristics/network-architecture/diagram/link" test="@rel eq 'diagram'" level="ERROR">
-                <message>Each FedRAMP SSP network architecture diagram must have a link rel attribute with the value "diagram".</message>
+            <expect id="has-data-flow-diagram-link-rel" target="system-characteristics/data-flow/diagram/link" test="@rel" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
+                <message>Each FedRAMP SSP data flow diagram MUST have a link rel attribute.</message>
             </expect>
-            <expect id="has-data-flow" target="system-characteristics" test="data-flow" level="WARNING">
-                <message>A FedRAMP SSP must include a data flow section.</message>
+            <expect id="has-data-flow-diagram-link-rel-allowed-value" target="system-characteristics/data-flow/diagram/link" test="@rel eq 'diagram'" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
+                <message>Each FedRAMP SSP data flow diagram MUST have a link rel attribute with the value "diagram".</message>
             </expect>
-            <expect id="has-data-flow-diagram" target="system-characteristics/data-flow" test="diagram" level="WARNING">
-                <message>A FedRAMP SSP must have at least one data flow diagram.</message>
+            <expect id="has-data-flow-diagram-uuid" target="system-characteristics/data-flow/diagram" test="@uuid" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
+                <message>An OSCAL SSP document with a data flow diagram MUST have a unique identifier.</message>
             </expect>
-            <expect id="has-data-flow-description" target="system-characteristics/data-flow" test="description" level="ERROR">
-                <message>An OSCAL SSP document with a data flow must have a description.</message>
+            <expect id="has-federation-assurance-level" target="system-characteristics" test="exists(prop[@name eq 'federation-assurance-level'])" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#digital-identity-level-dil-determination"/>
+                <message>A FedRAMP SSP MUST define its NIST SP 800-63 federation assurance level (FAL).</message>
             </expect>
-            <expect id="has-data-flow-diagram-uuid" target="system-characteristics/data-flow/diagram" test="@uuid" level="ERROR">
-                <message>An OSCAL SSP document with a data flow diagram must have a unique identifier.</message>
+            <expect id="has-identity-assurance-level" target="system-characteristics" test="exists(prop[@name eq 'identity-assurance-level'])" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#digital-identity-level-dil-determination"/>
+                <message>A FedRAMP SSP MUST define its NIST SP 800-63 identity assurance level (IAL).</message>
             </expect>
-            <expect id="has-data-flow-diagram-description" target="system-characteristics/data-flow/diagram" test="description" level="ERROR">
-                <message>Each FedRAMP SSP data flow diagram must have a description.</message>
+            <expect id="has-incident-response-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'incident-response-plan']]" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
+                <message>A FedRAMP SSP MUST have an Incident Response Plan attached.</message>
             </expect>
-            <expect id="has-data-flow-diagram-link" target="system-characteristics/data-flow/diagram" test="link" level="ERROR">
-                <message>Each FedRAMP SSP data flow diagram must have a link.</message>
+            <expect id="has-information-system-contingency-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'information-system-contingency-plan']]" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
+                <message>A FedRAMP SSP MUST have a Contingency Plan attached.</message>
             </expect>
-            <expect id="has-data-flow-diagram-caption" target="system-characteristics/data-flow/diagram" test="caption" level="ERROR">
-                <message>Each FedRAMP SSP data flow diagram must have a caption.</message>
+            <expect id="has-network-architecture" target="system-characteristics" test="network-architecture" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
+                <message>A FedRAMP SSP MUST include a network architecture.</message>
             </expect>
-            <expect id="has-data-flow-diagram-link-rel" target="system-characteristics/data-flow/diagram/link" test="@rel" level="ERROR">
-                <message>Each FedRAMP SSP data flow diagram must have a link rel attribute.</message>
+            <expect id="has-network-architecture-diagram" target="system-characteristics/network-architecture" test="diagram" level="WARNING">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
+                <message>A FedRAMP SSP MUST have at least one network architecture diagram.</message>
             </expect>
-            <expect id="has-data-flow-diagram-link-rel-allowed-value" target="system-characteristics/data-flow/diagram/link" test="@rel eq 'diagram'" level="ERROR">
-                <message>Each FedRAMP SSP data flow diagram must have a link rel attribute with the value "diagram".</message>
+            <expect id="has-network-architecture-diagram-caption" target="system-characteristics/network-architecture/diagram" test="caption" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
+                <message>Each FedRAMP SSP network architecture diagram MUST have a caption.</message>
             </expect>
-            <expect id="has-security-sensitivity-level" target="system-characteristics" test="security-sensitivity-level" level="ERROR">
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-sensitivity-level"/>
-                <message>A FedRAMP SSP document MUST specify a FIPS 199 categorization.</message>
+            <expect id="has-network-architecture-diagram-description" target="system-characteristics/network-architecture/diagram" test="description" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
+                <message>Each FedRAMP SSP network architecture diagram MUST have a description.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram-link" target="system-characteristics/network-architecture/diagram" test="link" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
+                <message>Each FedRAMP SSP network architecture diagram MUST have a link.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram-link-rel" target="system-characteristics/network-architecture/diagram/link" test="@rel" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
+                <message>Each FedRAMP SSP network architecture diagram MUST have a link rel attribute.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram-link-rel-allowed-value" target="system-characteristics/network-architecture/diagram/link" test="@rel eq 'diagram'" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
+                <message>Each FedRAMP SSP network architecture diagram MUST have a link rel attribute with the value "diagram".</message>
+            </expect>
+            <expect id="has-rules-of-behavior" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'rules-of-behavior']]" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
+                <message>A FedRAMP SSP MUST have Rules of Behavior.</message>
             </expect>
             <expect id="has-security-impact-level" target="system-characteristics" test="security-impact-level" level="ERROR">
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-sensitivity-level"/>
                 <message>A FedRAMP SSP document MUST specify a security impact level.</message>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-sensitivity-level"/>
+            </expect>
+            <expect id="has-security-sensitivity-level" target="system-characteristics" test="security-sensitivity-level" level="ERROR">
+                <message>A FedRAMP SSP document MUST specify a FIPS 199 categorization.</message>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-sensitivity-level"/>
+            </expect>
+            <expect id="has-separation-of-duties-matrix" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'separation-of-duties-matrix']]" level="ERROR">
+                <message>A FedRAMP SSP MUST have a Separation of Duties Matrix attached.</message>
             </expect>
             <expect id="has-system-id" target="system-characteristics" test="system-id[@identifier-type eq 'https://fedramp.gov']" level="ERROR">
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier"/>
-                <message>A FedRAMP SSP must have a FedRAMP system identifier.</message>
+                <message>A FedRAMP SSP MUST have a FedRAMP system identifier.</message>
             </expect>
-            <expect id="security-sensitivity-level-matches-security-impact-level" target="system-characteristics/security-sensitivity-level" test=". eq $security-impact-level" level="WARNING">
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-sensitivity-level"/>
-                <message>A FedRAMP SSP SHOULD define its FIPS-199 security sensitivity level to match the highest security impact level for the system's confidentiality, integrity, and availability objectives.</message>
+            <expect id="has-system-name-short" target="system-characteristics" test="system-name-short" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier"/>
+                <message>A FedRAMP SSP MUST have a short system name.</message>
+            </expect>
+            <expect id="has-user-guide" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'users-guide']]" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
+                <message>A FedRAMP SSP MUST have a User Guide attached.</message>
             </expect>
             <expect id="import-profile-has-available-document" target="import-profile" test="doc-available(resolve-uri($resolved-import-profile-href))" level="CRITICAL">
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/3-working-with-oscal-files/#importing-the-fedramp-baseline"/>
@@ -211,6 +237,10 @@
                     <p>A FedRAMP SSP MUST use a valid FedRAMP catalog to reference security controls. It MUST NOT reference controls from a non-FedRAMP catalog.</p>
                 </remarks>
             </expect>
+            <expect id="information-type-has-availability-impact" target="system-characteristics/system-information/information-type" test="availability-impact" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
+                <message>A FedRAMP SSP information type MUST have an availability impact.</message>
+            </expect>
             <expect id="information-type-has-confidentiality-impact" target="system-characteristics/system-information/information-type" test="confidentiality-impact" level="ERROR">
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
                 <message>A FedRAMP SSP information type MUST have a confidentiality impact.</message>
@@ -219,38 +249,45 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
                 <message>A FedRAMP SSP information type MUST have an integrity impact.</message>
             </expect>
-            <expect id="information-type-has-availability-impact" target="system-characteristics/system-information/information-type" test="availability-impact" level="ERROR">
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
-                <message>A FedRAMP SSP information type MUST have an availability impact.</message>
+            <expect id="resource-has-base64-or-rlink" target="back-matter/resource" test="count(./rlink) >= 1 or count(./base64) >= 1" level="WARNING">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/oscal-citations-and-attachments/#including-multiple-rlink-and-base64-fields"/>
+                <message>Every supporting artifact found in a citation MUST have at least one base64 or rlink element.</message>
             </expect>
-            <expect id="cia-impact-has-selected" target="system-characteristics/system-information/information-type/(confidentiality-impact | integrity-impact | availability-impact)" test="selected" level="ERROR">
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
-                <message>A FedRAMP SSP information type confidentiality, integrity, or availability impact MUST specify the selected impact.</message>
+            <expect id="resource-has-title" target="back-matter/resource" test="title" level="WARNING">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/oscal-citations-and-attachments/#citation-and-attachment-details"/>
+                <message>Every supporting artifact found in a citation SHOULD have a title.</message>
             </expect>
-            <expect id="cia-impact-has-adjustment-justification" target="system-characteristics/system-information/information-type/(confidentiality-impact | integrity-impact | availability-impact)" test="if (base ne selected) then exists(adjustment-justification) else true()" level="ERROR">
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
-                <message>When SP 800-60 base and selected impacts levels differ for a given information type, the SSP MUST include a justification for the difference.</message>
+            <expect id="security-sensitivity-level-matches-security-impact-level" target="system-characteristics/security-sensitivity-level" test=". eq $security-impact-level" level="WARNING">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-sensitivity-level"/>
+                <message>A FedRAMP SSP SHOULD define its FIPS-199 security sensitivity level to match the highest security impact level for the system's confidentiality, integrity, and availability objectives.</message>
             </expect>
-            <expect id="has-system-name-short" target="system-characteristics" test="system-name-short" level="ERROR">
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier"/>
-                <message>A FedRAMP SSP MUST have a short system name.</message>
+        </constraints>
+    </context>
+
+    <context>
+        <metapath target="/system-security-plan/control-implementation"/>
+        <constraints>
+            <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-overview"/>
+                <message>Each implemented requirement MUST have at least one by-component reference to the source component implementing it.</message>
             </expect>
         </constraints>
     </context>
+
     <context>
         <metapath target="/system-security-plan/metadata"/>
         <constraints>
+            <expect id="data-center-alternate" target="." test="count(/location/prop[@name eq 'type'][@value eq 'data-center'][@class eq 'alternate']) &gt; 0">
+               <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
+                <message>There MUST be one or more alternate data center(s).</message>
+            </expect>
             <expect id="data-center-count" target="." test="count(/location/prop[@name eq 'type'][@value eq 'data-center']) &gt; 1">
-               <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers" />
-                <message>There must be at least two (2) data centers listed.</message>
+               <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
+                <message>There MUST be at least two (2) data centers listed.</message>
             </expect>
             <expect id="data-center-primary" target="." test="count(/location/prop[@name eq 'type'][@value eq 'data-center'][@class eq 'primary']) = 1">
-               <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers" />
-                <message>There must be a single primary data center.</message>
-            </expect>
-            <expect id="data-center-alternate" target="." test="count(/location/prop[@name eq 'type'][@value eq 'data-center'][@class eq 'alternate']) &gt; 0">
-               <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers" />
-                <message>There must be one or more alternate data center(s).</message>
+               <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
+                <message>There MUST be a single primary data center.</message>
             </expect>
             <index name="index-person-party-uuid" target="map:merge(party[@type='person'] ! map:entry(@uuid,.))?*">
             	<formal-name>Index of parties of type "person".</formal-name>
@@ -260,25 +297,34 @@
             <index-has-key id="responsible-party-is-person" name="index-person-party-uuid" target="./responsible-party[(@role-id='system-owner') or (@role-id='information-system-security-officer')]" level="ERROR">
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#summary-of-ssp-roles-requirements"/>
                 <key-field target="party-uuid"/>
-                <message>For roles 'system-owner' and 'information-system-security-officer', the responsible-role party must be a party of type 'person'.</message>
+                <message>For roles 'system-owner' and 'information-system-security-officer', the responsible-role party MUST be a party of type 'person'.</message>
             </index-has-key>
-            <expect id="role-defined-system-owner" target="." test="role[@id eq 'system-owner']" level="ERROR">
-                <message>A FedRAMP SSP must define the system owner role.</message>
-            </expect>
             <expect id="role-defined-authorizing-official-poc" target="." test="role[@id eq 'authorizing-official-poc']" level="ERROR">
-                <message>A FedRAMP SSP must define a role for the point of contact for an authorizing official.</message>
+                <message>A FedRAMP SSP MUST define a role for the point of contact for an authorizing official.</message>
             </expect>
             <expect id="role-defined-information-system-security-officer" target="." test="role[@id eq 'information-system-security-officer']" level="ERROR">
-                <message>A FedRAMP SSP must define a role for the point of contact for an information system security officer.</message>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#assignment-of-security-responsibilities"/>
+                <message>A FedRAMP SSP MUST define a role for the point of contact for an information system security officer.</message>
+            </expect>
+            <expect id="role-defined-system-owner" target="." test="role[@id eq 'system-owner']" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#information-system-owner"/>
+                <message>A FedRAMP SSP MUST define the system owner role.</message>
             </expect>
         </constraints>
     </context>
+
     <context>
-        <metapath target="/system-security-plan/control-implementation"/>
+        <metapath target="/system-security-plan/metadata/location"/>
         <constraints>
-            <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0">
-                <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message>
+            <expect id="data-center-country-code" target="." test="count(address/country) eq 1">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
+                <message>Each data center address MUST contain a country code.</message>
+            </expect>
+            <expect id="data-center-US" target="." test="address/country eq 'US'">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
+                <message>Each data center MUST have an address that is within the United States.</message>
             </expect>
         </constraints>
     </context>
+    
 </metaschema-meta-constraints>
\ No newline at end of file