From 73b413f200a81c0a8fb54d8fecd5b118555b495d Mon Sep 17 00:00:00 2001
From: Rene Tshiteya <rene-claude.tshiteya@noblis.org>
Date: Thu, 5 Sep 2024 13:28:31 -0400
Subject: [PATCH] Add responsible-party-is-person constraint

---
 features/fedramp_extensions.feature           |   3 +
 .../constraints/content/ssp-all-INVALID.xml   |  64 +++++++
 .../constraints/content/ssp-all-VALID.xml     | 173 +++++++++++++-----
 .../fedramp-external-constraints.xml          | 118 +++++++-----
 .../responsible-party-is-person-FAIL.yaml     |   7 +
 .../responsible-party-is-person-PASS.yaml     |   7 +
 6 files changed, 278 insertions(+), 94 deletions(-)
 create mode 100644 src/validations/constraints/unit-tests/responsible-party-is-person-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/responsible-party-is-person-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index a297fc489..c327fd82e 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -65,6 +65,8 @@ Examples:
   | resource-has-title-PASS.yaml |
   | response-point-FAIL.yaml |
   | response-point-PASS.yaml |
+  | responsible-party-is-person-FAIL.yaml |
+  | responsible-party-is-person-PASS.yaml |
   | scan-type-FAIL.yaml |
   | scan-type-PASS.yaml |
   | user-type-FAIL.yaml |
@@ -109,6 +111,7 @@ Examples:
   | prop-response-point-has-cardinality-one |
   | resource-has-base64-or-rlink |
   | resource-has-title |
+  | responsible-party-is-person |
   | scan-type |
   | user-type |
 #END_DYNAMIC_CONSTRAINT_IDS
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-all-INVALID.xml b/src/validations/constraints/content/ssp-all-INVALID.xml
index 6904ae83c..f7801defe 100644
--- a/src/validations/constraints/content/ssp-all-INVALID.xml
+++ b/src/validations/constraints/content/ssp-all-INVALID.xml
@@ -23,6 +23,48 @@
     <role id="asset-owner">
       <title>Asset Owner</title>
     </role>
+    <role id="system-owner">
+      <title>Information System Owner</title>
+      <description>
+         <p>The individual within the CSP who is ultimately accountable for everything related to this system.</p>
+      </description>
+   </role>
+   <role id="authorizing-official">
+      <title>Authorizing Official</title>
+      <description>
+         <p>The individual or individuals who must grant this system an authorization to operate.</p>
+      </description>
+   </role>
+   <role id="authorizing-official-poc">
+      <title>Authorizing Official's Point of Contact</title>
+      <description>
+         <p>The individual representing the authorizing official.</p>
+      </description>
+   </role>
+   <role id="system-poc-management">
+      <title>Information System Management Point of Contact (POC)</title>
+      <description>
+         <p>The highest level manager who responsible for system operation on behalf of the System Owner.</p>
+      </description>
+   </role>
+   <role id="system-poc-technical">
+      <title>Information System Technical Point of Contact</title>
+      <description>
+         <p>The individual or individuals leading the technical operation of the system.</p>
+      </description>
+   </role>
+   <role id="system-poc-other">
+      <title>General Point of Contact (POC)</title>
+      <description>
+         <p>A general point of contact for the system, designated by the system owner.</p>
+      </description>
+   </role>
+   <role id="information-system-security-officer">
+      <title>System Information System Security Officer (or Equivalent)</title>
+      <description>
+         <p>The individual accountable for the security posture of the system on behalf of the system owner.</p>
+      </description>
+   </role>
     <location uuid="11111112-0000-4000-9001-000000000009">
       <address >
         <country>WRONG</country>
@@ -48,6 +90,28 @@
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
     
+    <responsible-party role-id="system-owner">
+      <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="authorizing-official">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="authorizing-official-poc">
+      <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="system-poc-management">
+      <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="system-poc-technical">
+      <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="system-poc-other">
+      <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="information-system-security-officer">
+      <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+    </responsible-party>
+    
     <remarks>
       <p>This SSP is an example for demonstration purposes.</p>
     </remarks>
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 4bbcee219..5b3b11ba3 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
-                      uuid="12345678-1234-4321-8765-123456789012">
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+  uuid="12345678-1234-4321-8765-123456789012">
   <metadata>
     <title>Enhanced Example System Security Plan</title>
     <published>2024-08-01T14:30:00Z</published>
@@ -10,7 +10,7 @@
     <version>1.1</version>
     <oscal-version>1.0.0</oscal-version>
     <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
-    
+
     <role id="creator">
       <title>Document Creator</title>
     </role>
@@ -23,27 +23,73 @@
     <role id="asset-owner">
       <title>Asset Owner</title>
     </role>
+    <role id="system-owner">
+      <title>Information System Owner</title>
+      <description>
+        <p>The individual within the CSP who is ultimately accountable for everything related to
+          this system.</p>
+      </description>
+    </role>
+    <role id="authorizing-official">
+      <title>Authorizing Official</title>
+      <description>
+        <p>The individual or individuals who must grant this system an authorization to operate.</p>
+      </description>
+    </role>
+    <role id="authorizing-official-poc">
+      <title>Authorizing Official's Point of Contact</title>
+      <description>
+        <p>The individual representing the authorizing official.</p>
+      </description>
+    </role>
+    <role id="system-poc-management">
+      <title>Information System Management Point of Contact (POC)</title>
+      <description>
+        <p>The highest level manager who responsible for system operation on behalf of the System
+          Owner.</p>
+      </description>
+    </role>
+    <role id="system-poc-technical">
+      <title>Information System Technical Point of Contact</title>
+      <description>
+        <p>The individual or individuals leading the technical operation of the system.</p>
+      </description>
+    </role>
+    <role id="system-poc-other">
+      <title>General Point of Contact (POC)</title>
+      <description>
+        <p>A general point of contact for the system, designated by the system owner.</p>
+      </description>
+    </role>
+    <role id="information-system-security-officer">
+      <title>System Information System Security Officer (or Equivalent)</title>
+      <description>
+        <p>The individual accountable for the security posture of the system on behalf of the system
+          owner.</p>
+      </description>
+    </role>
     <location uuid="11111112-0000-4000-9001-000000000009">
-      <address >
+      <address>
         <country>US</country>
       </address>
-      <prop name='data-center' value='dc-zone-1' class='primary' ns="https://fedramp.gov/ns/oscal"/>
+      <prop name='data-center' value='dc-zone-1' class='primary' ns="https://fedramp.gov/ns/oscal" />
     </location>
     <location uuid="11111112-0000-4000-9000-000000000003">
-      <address >
+      <address>
         <country>US</country>
       </address>
-      <prop name='data-center' value='aws-us-west-1' class='alternate' ns="https://fedramp.gov/ns/oscal"/>
+      <prop name='data-center' value='aws-us-west-1' class='alternate'
+        ns="https://fedramp.gov/ns/oscal" />
     </location>
     <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
       <name>Example Organization</name>
       <short-name>ExOrg</short-name>
-      <link rel="website" href="https://example.com"/>
+      <link rel="website" href="https://example.com" />
     </party>
     <party uuid="22222222-0000-4000-9000-000000000002" type="person">
       <name>Jane Doe</name>
       <email-address>jane.doe@example.com</email-address>
-    <address type="work"  />
+      <address type="work" />
     </party>
 
     <responsible-party role-id="creator">
@@ -52,25 +98,51 @@
     <responsible-party role-id="content-approver">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
+
+    <responsible-party role-id="system-owner">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="authorizing-official">
+      <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="authorizing-official-poc">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="system-poc-management">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="system-poc-technical">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="system-poc-other">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="information-system-security-officer">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+
     <remarks>
       <p>This SSP is an example for demonstration purposes.</p>
     </remarks>
   </metadata>
-  
-  <import-profile href="../../../../dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml"/>
-  
+
+  <import-profile
+    href="../../../../dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml" />
+
   <system-characteristics>
     <system-id identifier-type="https://fedramp.gov">F00000001</system-id>
     <system-name>Enhanced Example System</system-name>
     <description>
-      <p>This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.</p>
+      <p>This is an enhanced example system for demonstration purposes, incorporating more
+        FedRAMP-specific elements.</p>
     </description>
-    <prop name='cloud-deployment-model' value='government-only-cloud' ns="https://fedramp.gov/ns/oscal"/>
-    <prop name='cloud-service-model' value='other' ns="https://fedramp.gov/ns/oscal"/>
-    <prop name='authorization-type' value='fedramp-agency' ns="https://fedramp.gov/ns/oscal"/>
+    <prop name='cloud-deployment-model' value='government-only-cloud'
+      ns="https://fedramp.gov/ns/oscal" />
+    <prop name='cloud-service-model' value='other' ns="https://fedramp.gov/ns/oscal" />
+    <prop name='authorization-type' value='fedramp-agency' ns="https://fedramp.gov/ns/oscal" />
     <security-sensitivity-level>moderate</security-sensitivity-level>
     <system-information>
-      <information-type  uuid="33333333-0000-4000-9000-000000000003">
+      <information-type uuid="33333333-0000-4000-9000-000000000003">
         <title>Financial Information</title>
         <description>
           <p>Contains sensitive financial data related to organizational operations.</p>
@@ -94,29 +166,30 @@
       <security-objective-integrity>moderate</security-objective-integrity>
       <security-objective-availability>moderate</security-objective-availability>
     </security-impact-level>
-    <status state="operational"/>
+    <status state="operational" />
     <authorization-boundary>
       <description>
-        <p>The authorization boundary includes all components within the main data center and the disaster recovery site.</p>
+        <p>The authorization boundary includes all components within the main data center and the
+          disaster recovery site.</p>
       </description>
     </authorization-boundary>
   </system-characteristics>
-  
+
   <system-implementation>
     <user uuid="44444444-0000-4000-9000-000000000004">
       <title>System Administrator</title>
-      <prop name="type" value="internal"/>
-      <prop name="privilege-level" value="read-write"/>
+      <prop name="type" value="internal" />
+      <prop name="privilege-level" value="read-write" />
       <role-id>system-admin</role-id>
     </user>
-    
+
     <component uuid="55555555-0000-4000-9000-000000000005" type="this-system">
       <title>Primary Application Server</title>
       <description>
         <p>Main application server hosting the core system functionality.</p>
       </description>
       <purpose>main line</purpose>
-      <status state="operational"/>
+      <status state="operational" />
       <responsible-role role-id="system-admin">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
       </responsible-role>
@@ -124,15 +197,15 @@
         <p>This is the primary application server for the system.</p>
       </remarks>
     </component>
-    
+
     <component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
       <title>External API Connection</title>
       <description>
         <p>Secure connection to an external API for data enrichment.</p>
       </description>
-      <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
-      <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
-      <status state="operational"/>
+      <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal" />
+      <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal" />
+      <status state="operational" />
       <responsible-role role-id="system-admin">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
       </responsible-role>
@@ -140,70 +213,72 @@
         <p>This connection is used for secure data exchange with external systems.</p>
       </remarks>
     </component>
-    
+
     <inventory-item uuid="77777777-0000-4000-9000-000000000007">
       <description>
         <p>Primary database server</p>
       </description>
-      <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
-      <prop name="asset-type" value="database"/>
-      <prop name="allows-authenticated-scan" value="yes"/>
-      <prop name="public" value="no"/>
-      <prop name="virtual" value="yes"/>
-      <prop name="scan-type" value="database" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal" />
+      <prop name="asset-type" value="database" />
+      <prop name="allows-authenticated-scan" value="yes" />
+      <prop name="public" value="no" />
+      <prop name="virtual" value="yes" />
+      <prop name="scan-type" value="database" ns="https://fedramp.gov/ns/oscal" />
       <responsible-party role-id="asset-owner">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
       </responsible-party>
       <implemented-component component-uuid="55555555-0000-4000-9000-000000000005">
-        <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
+        <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal" />
       </implemented-component>
     </inventory-item>
   </system-implementation>
-  
+
   <control-implementation>
     <description>
       <p>Implementation of controls for the Enhanced Example System</p>
     </description>
     <implemented-requirement uuid="88888888-0000-4000-9000-000000000008" control-id="ac-1">
-      <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/>
-      <prop name="implementation-status" value="partial" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal" />
+      <prop name="implementation-status" value="partial" ns="https://fedramp.gov/ns/oscal" />
       <statement statement-id="ac-1_stmt.a" uuid="99999999-0000-4000-9000-000000000009">
       </statement>
-      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a">
+      <by-component component-uuid="55555555-0000-4000-9000-000000000005"
+        uuid="aaaaaaaa-0000-4000-9000-00000000000a">
         <description>
           <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p>
         </description>
-        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/>
+        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented" />
         <responsible-role role-id="system-admin">
           <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
         </responsible-role>
       </by-component>
     </implemented-requirement>
-    
+
     <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8">
-      <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal" />
       <statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c">
       </statement>
-      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="dddddddd-0000-4000-9000-00000000000d">
+      <by-component component-uuid="55555555-0000-4000-9000-000000000005"
+        uuid="dddddddd-0000-4000-9000-00000000000d">
         <description>
           <p>Information System Component Inventory (CM-8) is partially implemented.</p>
         </description>
-        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/>
+        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial" />
         <responsible-role role-id="system-admin">
           <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
         </responsible-role>
       </by-component>
     </implemented-requirement>
   </control-implementation>
-  
+
   <back-matter>
     <resource uuid="eeeeeeee-0000-4000-9000-00000000000e">
       <title>Access Control Policy</title>
       <description>
         <p>Detailed access control policy document</p>
       </description>
-      <prop name="type" value="policy" ns="https://fedramp.gov/ns/oscal"/>
-      <rlink href="https://example.com/policies/access-control.pdf"/>
+      <prop name="type" value="policy" ns="https://fedramp.gov/ns/oscal" />
+      <rlink href="https://example.com/policies/access-control.pdf" />
     </resource>
     <resource uuid="90a128ac-c850-48f6-8fff-a55692f80b41">
       <title>User's Guide</title>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 484f6f85a..33b57a3af 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -4,43 +4,50 @@
     <!-- FedRAMP Extensions -->
     <!-- ================== -->
     <context>
-        <metapath target="/catalog//control"/>
-        <metapath target="/assessment-plan/local-definitions/objectives-and-methods"/>
-        <metapath target="/assessment-results/local-definitions/objectives-and-methods"/>
+        <metapath target="/catalog//control" />
+        <metapath target="/assessment-plan/local-definitions/objectives-and-methods" />
+        <metapath target="/assessment-results/local-definitions/objectives-and-methods" />
 
         <constraints>
-            <expect id="prop-response-point-has-cardinality-one" target=".//part" test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='response-point']) &lt;= 1">
+            <expect id="prop-response-point-has-cardinality-one" target=".//part"
+                test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='response-point']) &lt;= 1">
                 <message>Duplicate reponse point at '{ path(.) }'.</message>
             </expect>
             <remarks>
                 <p>This appears in FedRAMP profiles and resolved profile catalogs.</p>
-                <p>For control statements, it signals to the CSP which statements require a response in the SSP.</p>
-                <p>For control objectives, it signals to the assessor which control objectives must appear in the assessment results, which aligns with the FedRAMP test case workbook.</p>
-             </remarks>
+                <p>For control statements, it signals to the CSP which statements require a response
+                    in the SSP.</p>
+                <p>For control objectives, it signals to the assessor which control objectives must
+                    appear in the assessment results, which aligns with the FedRAMP test case
+                    workbook.</p>
+            </remarks>
+        </constraints>
+    </context>
+    <context>
+        <metapath target="/system-security-plan/metadata/location" />
+        <constraints>
+            <expect id="data-center-country-code" target="." test="count(address/country) eq 1">
+                <message>Each data center address must contain a country code.</message>
+            </expect>
+            <expect id="data-center-US" target="." test="address/country eq 'US'">
+                <message>Each data center must have an address that is within the United States.</message>
+            </expect>
         </constraints>
-</context>
-<context>
-    <metapath target="/system-security-plan/metadata/location"/>
-    <constraints>
-        <expect id="data-center-country-code" target="." test="count(address/country) eq 1">
-            <message>Each data center address must contain a country code.</message>
-        </expect>
-        <expect id="data-center-US" target="." test="address/country eq 'US'">
-            <message>Each data center must have an address that is within the United States.</message>
-        </expect>
-    </constraints>
 
-</context>
-<context>
-    <metapath target="/system-security-plan"/>
-    <constraints>
-        <expect id="resource-has-title" target="back-matter/resource" test="title" level="WARNING">
-            <message>Every supporting artifact found in a citation should have a title.</message>
-        </expect>
-        <expect id="resource-has-base64-or-rlink" target="back-matter/resource" test="count(./rlink) >= 1 or count(./base64) >= 1" level="WARNING">
-            <message>Every supporting artifact found in a citation must have at least one base64 or rlink element.</message>
-        </expect>
-        <expect id="has-user-guide" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'users-guide']]" level="ERROR">
+    </context>
+    <context>
+        <metapath target="/system-security-plan" />
+        <constraints>
+            <expect id="resource-has-title" target="back-matter/resource" test="title"
+                level="WARNING">
+                <message>Every supporting artifact found in a citation should have a title.</message>
+            </expect>
+            <expect id="resource-has-base64-or-rlink" target="back-matter/resource"
+                test="count(./rlink) >= 1 or count(./base64) >= 1" level="WARNING">
+                <message>Every supporting artifact found in a citation must have at least one base64
+                    or rlink element.</message>
+            </expect>
+            <expect id="has-user-guide" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'users-guide']]" level="ERROR">
             <message>A FedRAMP SSP must have a User Guide attached.</message>
         </expect>
         <expect id="has-rules-of-behavior" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'rules-of-behavior']]" level="ERROR">
@@ -59,20 +66,41 @@
             <message>A FedRAMP SSP must have a Separation of Duties Matrix attached.</message>
         </expect>
     </constraints>
-</context>
-<context>
-    <metapath target="/system-security-plan/metadata"/>
-    <constraints>
-        <expect id="data-center-count" target="." test="count(/location/prop[@name eq 'data-center']) &gt; 1">
-            <message>There must be at least two (2) data centers listed.</message>
-        </expect>
+    </context>
+    <context>
+        <metapath target="/system-security-plan/metadata" />
+        <constraints>
+            <expect id="data-center-count" target="."
+                test="count(/location/prop[@name eq 'data-center']) &gt; 1">
+                <message>There must be at least two (2) data centers listed.</message>
+            </expect>
 
-        <expect id="data-center-primary" target="." test="count(/location/prop[@name eq 'data-center'][@class eq 'primary']) = 1">
-            <message>There must be a single primary data center.</message>
-        </expect>
-        <expect id="data-center-alternate" target="." test="count(/location/prop[@name eq 'data-center'][@class eq 'alternate']) &gt; 0">
-            <message>There must be one or more alternate data center(s).</message>
-        </expect>
-    </constraints>
-</context>
-</metaschema-meta-constraints>
+            <expect id="data-center-primary" target="."
+                test="count(/location/prop[@name eq 'data-center'][@class eq 'primary']) = 1">
+                <message>There must be a single primary data center.</message>
+            </expect>
+            <expect id="data-center-alternate" target="."
+                test="count(/location/prop[@name eq 'data-center'][@class eq 'alternate']) &gt; 0">
+                <message>There must be one or more alternate data center(s).</message>
+            </expect>
+        </constraints>
+    </context>
+    <context>
+        <metapath target="/system-security-plan/metadata"/>
+        <constraints>
+            <index name="index-person-party-uuid" target="map:merge(party[@type='person'] ! map:entry(@uuid,.))?*">
+            	<formal-name>In-Scope UUIDs for party assemblies of type "person".</formal-name>
+            	<description>An index of  UUIDs for party assemblies of type "person".</description>
+                <key-field target="@uuid"/>
+            </index>
+            <index-has-key id="responsible-party-is-person" name="index-person-party-uuid" target="./responsible-party[(@role-id='system-owner') or (@role-id='authorizing-official-poc') or (@role-id='system-poc-management') or (@role-id='system-poc-technical') or (@role-id='system-poc-other') or (@role-id='information-system-security-officer')]" level="ERROR">
+                <key-field target="party-uuid"/>
+                <message>This responsible-party references a party which is not a person.</message>
+            </index-has-key>
+            <remarks>
+                <p>For roles 'system-owner', 'authorizing-official-poc', 'system-poc-management', 'system-poc-technical', 'system-poc-other', and 'information-system-security-officer', the responsible-role party must be a party of type 'person'.</p>
+            </remarks>
+        </constraints>
+    </context>
+
+</metaschema-meta-constraints>
\ No newline at end of file
diff --git a/src/validations/constraints/unit-tests/responsible-party-is-person-FAIL.yaml b/src/validations/constraints/unit-tests/responsible-party-is-person-FAIL.yaml
new file mode 100644
index 000000000..283522d1d
--- /dev/null
+++ b/src/validations/constraints/unit-tests/responsible-party-is-person-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for responsible-party-is-person
+  description: This test case validates the behavior of constraint responsible-party-is-person
+  content: ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: responsible-party-is-person
+      result: fail
\ No newline at end of file
diff --git a/src/validations/constraints/unit-tests/responsible-party-is-person-PASS.yaml b/src/validations/constraints/unit-tests/responsible-party-is-person-PASS.yaml
new file mode 100644
index 000000000..688d13c40
--- /dev/null
+++ b/src/validations/constraints/unit-tests/responsible-party-is-person-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for responsible-party-is-person
+  description: This test case validates the behavior of constraint responsible-party-is-person
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: responsible-party-is-person
+      result: pass
\ No newline at end of file