From 80c3f54258367568696bc9f6fe8371afa06ebdc5 Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Fri, 1 Nov 2024 15:03:30 -0400 Subject: [PATCH] Style Guide Constraints (#856) * Create style guide for FedRAMP OSCAL Constraints (#760) * Remove FedRAMP namespace from 'data-center' props (#795) * Hotfix/info (#780) * fix informational constraint handling and make ssp-all valid correct * revert external constraint changes * Update fedramp-external-constraints.xml * Update fedramp_extensions_steps.ts * update info handling * Update fedramp-external-constraints.xml Co-authored-by: Gabeblis * Update fedramp-external-constraints.xml Co-authored-by: Gabeblis * Update fedramp-external-constraints.xml Co-authored-by: Gabeblis * Update fedramp-external-constraints.xml Co-authored-by: Gabeblis * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: Gabeblis * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: Gabeblis * Update dev-constraint.js --------- Co-authored-by: Gabeblis * [skip ci] Create style guide doc for #675 * [skip ci] FSCR-1 re external constraints for #675 * [skip ci] FCSR-1, woops, need formal name for #675 * [skip ci] Tweak FCSR-1 anchor ID in #675 * [skip ci] Stop header hacks for IDs in #675 I read more about these techniques than I would like, but none of them appear to work effectively for making anchors like `#fcsr-1` without adding other content to the anchor which I would like to avoid. https://gist.github.com/asabaylus/3071099?permalink_comment_id=3895584 Either it never worked or something changed. Oh well! * [skip ci] Add FCSR-2 on context sorting for #675 * [skip ci] Add FCSR-3 about alpha sorting for #675 * [skip ci] Add FCSR-4 to require help-url for #675 * [skip ci] Adjust title from style guide to dev style guide per Rene's review * [skip ci] Adjust grammar and style per Rene's review Co-authored-by: Rene Tshiteya * [skip ci] @Rene2mt's feedback: add ID req for #675 * [skip ci] @Rene2mt's feedback: level req for #675 * [skip ci] @Rene2mt's review: why CRITICAL for #675 * [skip ci] Woops, missed IDs for reqs for #675 * [skip ci] Feedback: add message req for #675 * [skip ci] Fix constraint path in examples for #675 * [skip ci] Add remarks rec guidance for #675 * [skip ci] Add @wandmagic's rec for FCSR-1 for #675 * [skip ci] Add FCSR-10 re active voice for #675 * [skip ci] Remove FCSR-10's incorrect only for #675 * [skip ci] Add FCSR-11 about BCP14 words for #675 * [skip ci] Add no-jargon req FCSR-12 for #675 * [skip ci] Item, not sequence style req for #675 * [skip ci] Add req for sequence ctx hints for #675 * [skip ci] Add FCSR-15 re formal-names for #675 * [skip ci] Remove anchor hack from FCSR-1 for #675 * [skip ci] Wrap up kebab case IDs, reorder for #675 * [skip ci] Fixes from @Rene2mt'2 review for #675 * [skip ci] Add labels for rules in #675 * [skip ci] Simplify rule titles for #675 Follow feedback from @brian-ruf in his review. * [skip ci] Finalize table index with reqs for #645 * [skip ci] Limit informational constraints for #675 * [skip ci] Feedback: FRR1 about OSCAL constraints, not Metaschema constraints Co-authored-by: David Waltermire * [skip ci] Update FRR1 in table listing too Co-authored-by: David Waltermire * [skip ci] Add space in status row of table for FRR2 Co-authored-by: David Waltermire * [skip ci] Add missing word to FRR3 title Co-authored-by: David Waltermire * [skip ci] Improve the prose in FRR2 guidance Co-authored-by: David Waltermire * [skip ci] Reorder statements in sentence of FRR2 guidance Co-authored-by: David Waltermire * [skip ci] Clarify ambiguous wording in FRR5 Co-authored-by: David Waltermire * [skip ci] Correct typos in FRR6 formal name Co-authored-by: David Waltermire * [skip ci] Make FRR7 formal name more explicit Co-authored-by: David Waltermire * [skip ci] Improve FRR8 formal name Co-authored-by: David Waltermire * [skip ci] Fix FRR8 formal name in table index Co-authored-by: David Waltermire * [skip ci] Fix FRR9 formal name in table index Co-authored-by: David Waltermire * [skip ci] Fix FRR9 formal name in table index Co-authored-by: David Waltermire * [skip ci] Adjust FRR9 guidance to specify expect constraints Co-authored-by: David Waltermire * [skip ci] Adjust FRR9 constraint examples for correct type Co-authored-by: David Waltermire * [skip ci] Adjust FRR10 formal name to be more clear Co-authored-by: David Waltermire * [skip ci] Fix FRR10 formal name in table index Co-authored-by: David Waltermire * [skip ci] Make FRR11 formal name better sentence fragment Co-authored-by: David Waltermire * [skip ci] Fix FRR11 above requirement text Co-authored-by: David Waltermire * [skip ci] Adjust FedRAMP reqs prefix FCSR->FRR Given related work in the program, I want to generalize the prefix to be more general and global for all form of FedRAMP requirements down the road. * [skip ci] Add missing examples to FRR17 for #675 * [skip ci] Align formal names, spacing for #675 I had to fix up some of the formal names where Dave covered some of them in many places, but not all. Also other suggestions add some space. * [skip ci] Add level to many examples, finish #675 * [skip ci] Fold longer bg info for reqs in #675 * [skip ci] Clarify FRR1 bad example is bad in #645 * [skip ci] Clarify context order examples for #675 * [skip ci] Clarify case sorting for FRR3 in #675 * [skip ci] Clean up explanation of FRR10 for #675 * [skip ci] Fix typos in FRR13 and FRR15 for #675 * [skip ci] FRR2 feedback from Kylie for #675 * [skip ci] Reword FRR9 with Kylie's feedback in #675 * [skip ci] Woops, FRR16 twice, no FRR17 for #675 * [skip ci] Last call and let reqs in FRR18 for #675 * [skip ci] Correct ID for FRR18 to anchor in table Co-authored-by: Gabeblis * [skip ci] Offset req ID sequence Per discussion with others on a call with leads and staff from both FR branches, begin with an offset sequences and reserve the first 100 for other uses for the time being. /cc @kscarf1 * [skip ci] BCP14 keywords in #675 summary text * [skip ci] Tighten up summary text more for #675 * [skip ci] Add back to top anchors for #675 * [skip ci] Better grammar and flow for #675 summary * [skip ci] Improve FRR102 guidance text for #675 * [skip ci] Capitalize and fix FRR110 title for #675 * [skip ci] Fix poor grammar in FRR117 text for #675 * [skip ci] Explicit docs URL in FRR104 for #675 Address missing feedback to @kyhu65867 from review that had not been previously addressed by yours truly. * [skip ci] Fix FRR105 with feedback for #675 Address some feedback about wording and style of the unique ID req. * [skip ci] Fix FRR103 spacing for #675 Completely address feedback from @david-waltermire after checking for final review of style guide left in the comment below. https://github.com/GSA/fedramp-automation/pull/760#discussion_r1803898145 * [skip ci] Fix FRR108 conformant example for #675 --------- Co-authored-by: Rene Tshiteya Co-authored-by: wandmagic <156969148+wandmagic@users.noreply.github.com> Co-authored-by: Gabeblis Co-authored-by: David Waltermire * Apply Style Guide To Constraints (#852) * Add props to each constraint that has sufficient existing documentation * Sort constraints alphabetically and sort ascending by metapath specificity * Add missing (and available) help-url * IETF BCP14 Keywords in Constraint Messages * spacing between context blocks for readability * sort alphabetically and use consistent spcaing. * Add style guide constraints Add constraints to enforce style guide Place holders for constraints to add when necessary functions for implementation are supported Add formal names space Add back constraint Delete temporary test file Point help-url to develop Clean up id and formal name Script name change to test:style * Clean up errors by adding place holder urls and change data-center-US to lowercase. Small touch up to style guide step. * make id lowercase * remove space * inject schema Co-authored-by: A.J. Stein * TODO * Move style guide * TODO * add help-url --------- Co-authored-by: A.J. Stein Co-authored-by: Rene Tshiteya Co-authored-by: wandmagic <156969148+wandmagic@users.noreply.github.com> Co-authored-by: David Waltermire Co-authored-by: A.J. Stein --- features/fedramp_extensions.feature | 6 +- features/steps/fedramp_extensions_steps.ts | 52 +++++ package.json | 1 + .../ssp-data-center-country-code-INVALID.xml | 2 +- ...LID.xml => ssp-data-center-us-INVALID.xml} | 0 .../fedramp-external-allowed-values.xml | 221 +++++++++--------- .../fedramp-external-constraints.xml | 94 ++++++-- .../unit-tests/data-center-us-FAIL.yaml | 8 +- .../unit-tests/data-center-us-PASS.yaml | 6 +- .../{constraints => styleguides}/STYLE.md | 0 .../styleguides/fedramp-constraint-style.xml | 57 +++++ 11 files changed, 313 insertions(+), 134 deletions(-) rename src/validations/constraints/content/{ssp-data-center-US-INVALID.xml => ssp-data-center-us-INVALID.xml} (100%) rename src/validations/{constraints => styleguides}/STYLE.md (100%) create mode 100644 src/validations/styleguides/fedramp-constraint-style.xml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 4132664ec..253473489 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -1,5 +1,9 @@ Feature: OSCAL Document Constraints +@style-guide +Scenario Outline: Validating OSCAL constraints with metaschema constraints + Then I should verify that all constraints follow the style guide constraint + @constraints Scenario Outline: Validating OSCAL documents with metaschema constraints Given I have Metaschema extensions documents @@ -208,11 +212,11 @@ Examples: | cloud-service-model | | component-type | | control-implementation-status | - | data-center-US | | data-center-alternate | | data-center-count | | data-center-country-code | | data-center-primary | + | data-center-us | | deployment-model | | fedramp-version | | has-authenticator-assurance-level | diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts index 9d4c045a4..7b13dbebf 100644 --- a/features/steps/fedramp_extensions_steps.ts +++ b/features/steps/fedramp_extensions_steps.ts @@ -665,4 +665,56 @@ Then("I should have both FAIL and PASS tests for constraint ID {string}", functi constraintId, `Constraint ${constraintId} is not in the extracted constraints list` ); +}); + +Then('I should verify that all constraints follow the style guide constraint', async function () { + const baseDir = join(__dirname, '..', '..'); + const constraintDir = join(baseDir, 'src', 'validations', 'constraints'); + const styleGuidePath = join(baseDir, 'src', 'validations', 'styleguides', 'fedramp-constraint-style.xml'); + + const constraint_files = readdirSync(constraintDir).filter((file) => file.startsWith('fedramp') && file.endsWith('constraints.xml') ); + const errors = []; + + function filterOutBrackets(input) { + return input.replace(/\[.*?\]/g, ''); + } + + for (const file_name of constraint_files) { + const filePath = join(constraintDir, file_name.trim()); + console.log(filePath); + try { + console.log(filePath); + const [result, error] = await executeOscalCliCommand('metaschema', [ + 'validate', + filePath, + '-c', + styleGuidePath, + '--disable-schema-validation' + ]); + + console.log(`Validation result for ${file_name}:`, result); + if (error) { + console.error(`Validation error for ${file_name}:`, error); + } + + const filteredError = filterOutBrackets(error); + if (filteredError) { + errors.push(`Style guide validation failed for ${file_name}: ${filteredError}`); + } + if (result.includes("ERROR")) { + errors.push(`Style guide validation found errors in ${file_name}: ${result}`); + } + } catch (error) { + errors.push(`Error processing ${file_name}: ${error}`); + } + } + + // Display all errors at the end + if (errors.length > 0) { + console.error("Validation errors found:"); + + throw new Error("Style guide validation failed. "+errors.join("\n")); + } + + expect(errors, "No style guide validation errors should be found").to.be.empty; }); \ No newline at end of file diff --git a/package.json b/package.json index 80974df0f..5c5b74d15 100644 --- a/package.json +++ b/package.json @@ -13,6 +13,7 @@ "test:failed": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js -p rerun", "test:constraints": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @constraints", "test:coverage": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @full-coverage", + "test:style": "cross-env-shell NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @style-guide", "mq": "node ./src/scripts/dev-metaschema-eval.js", "constraint": "node ./src/scripts/dev-constraint.js" }, diff --git a/src/validations/constraints/content/ssp-data-center-country-code-INVALID.xml b/src/validations/constraints/content/ssp-data-center-country-code-INVALID.xml index 217db047c..717365051 100644 --- a/src/validations/constraints/content/ssp-data-center-country-code-INVALID.xml +++ b/src/validations/constraints/content/ssp-data-center-country-code-INVALID.xml @@ -7,7 +7,7 @@
- +
diff --git a/src/validations/constraints/content/ssp-data-center-US-INVALID.xml b/src/validations/constraints/content/ssp-data-center-us-INVALID.xml similarity index 100% rename from src/validations/constraints/content/ssp-data-center-US-INVALID.xml rename to src/validations/constraints/content/ssp-data-center-us-INVALID.xml diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index b79d8aa7d..cb9fac12d 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -12,15 +12,18 @@ - - - - FedRAMP Version - Identifies the FedRAMP version of the document. - FedRAMP Version + + + Address Type + The type of address for the party + + Work + +

FedRAMP requires work addresses.

+ - + Attachment Type Identifies the type of attachment. @@ -62,6 +65,23 @@ + + Authorization Type + The FedRAMP Authorization Type + FedRAMP JAB P-ATO + FedRAMP Agency ATO + FedRAMP Tailored for LI-SaaS + + + + Cloud Service Model + The cloud service model used by the system. + Infrastructure as a Service + Platform as a Service + Software as a Service + Other + + Component Type Identifies the component type. @@ -91,51 +111,6 @@ Not Applicable - - Interconnection Direction - Identifies the direction of information flow for the interconnection. - Incoming - Outgoing - Bi-Directional - - - - Interconnection Security - Identifies the type of security applied to the interconnection. - IPsec - Virtual Private Network - Transport-Layer Security - Transport-Layer Security - Certificate Authentication Security - Secure File Transfer - Other - - - - Scan Type - Identifies the type of scan. - Infrastructure and Operating System Scan - Database Scan - Web Scan - Other - - - Address Type - The type of address for the party - - Work - -

FedRAMP requires work addresses.

- - - - - Authorization Type - The FedRAMP Authorization Type - FedRAMP JAB P-ATO - FedRAMP Agency ATO - FedRAMP Tailored for LI-SaaS - Deployment Model The cloud deployment model. @@ -145,66 +120,13 @@ Hybrid Other - - Authorization Type - The FedRAMP Authorization Type - FedRAMP JAB P-ATO - FedRAMP Agency ATO - FedRAMP Tailored for LI-SaaS - - - User Type - The type of user. - - Internal - External - Privileged - - - Information Type Categorization System - The system used for categorizing information types. - NIST SP 800-60 Volume 2 Revision 1 - - - Privilege Level - The privilege level of the user. - - Read - Read-Write - Write - No Access - - - Cloud Service Model - The cloud service model used by the system. - Infrastructure as a Service - Platform as a Service - Software as a Service - Other + + FedRAMP Version + Identifies the FedRAMP version of the document. + FedRAMP Version - - Virtual - Indicates if the asset is virtual. - Yes - No - - - - Public - Indicates if the asset is exposed to the public Internet. - Yes - No - - - - Allows Authenticated Scan - Indicates if the asset is capable of having an authenticated scan. - Yes - No - - NIST SP 800-60 Volume 2 Revision 1 Information Types Contains a list of all supported information types from NIST SP 800-60 Volume 2 Revision 1. @@ -379,6 +301,71 @@ Industry Sector Income Stabilization + + Information Type Categorization System + The system used for categorizing information types. + NIST SP 800-60 Volume 2 Revision 1 + + + + Interconnection Direction + Identifies the direction of information flow for the interconnection. + Incoming + Outgoing + Bi-Directional + + + + Interconnection Security + Identifies the type of security applied to the interconnection. + IPsec + Virtual Private Network + Transport-Layer Security + Transport-Layer Security + Certificate Authentication Security + Secure File Transfer + Other + + + + Allows Authenticated Scan + Indicates if the asset is capable of having an authenticated scan. + Yes + No + + + + Public + Indicates if the asset is exposed to the public Internet. + Yes + No + + + + Virtual + Indicates if the asset is virtual. + Yes + No + + + + Privilege Level + The privilege level of the user. + + Read + Read-Write + Write + No Access + + + + Scan Type + Identifies the type of scan. + Infrastructure and Operating System Scan + Database Scan + Web Scan + Other + Privilege Level @@ -389,6 +376,7 @@ Write No Access + User Sensitvity Level Sensitivity level of the user. @@ -399,8 +387,17 @@ Limited Not Applicable - + + User Type + The type of user. + + Internal + External + Privileged + + + @@ -408,6 +405,7 @@ + Security Impact Level The security objective level as defined by NIST SP 800-60. @@ -415,7 +413,8 @@ Moderate High + - + \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index 2417d4537..de35545c6 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -4,10 +4,11 @@ - + + Fedramp Version A FedRAMP document's metadata MUST define a valid FedRAMP version. @@ -22,22 +23,27 @@ + User Has Authorized Privilege A FedRAMP document MUST define a user with at least one authorized privilege by a privilege identifier. + User Has Privilege Level A FedRAMP document MUST define a user with a privilege for their use of the system. + User Has Role ID A FedRAMP document MUST define a user with at least one role by a role identifier. + User Has Sensitivity Level A FedRAMP document MUST define a user with a sensitivity level of their use of the system. + User Has User Type A FedRAMP document MUST define a user with a type. @@ -50,7 +56,9 @@ - Duplicate response point at '{ path(.) }'. + Prop Response Point Has Cardinality One + + MUST NOT have Duplicate response point at '{ path(.) }'.

This appears in FedRAMP profiles and resolved profile catalogs.

@@ -72,192 +80,238 @@ then ('fips-199-moderate') else ('fips-199-low')"/> + Categorization Has Correct System Attribute - A FedRAMP SSP information-type categorization requires a correct system attribute. FedRAMP only supports the system value 'https://doi.org/10.6028/NIST.SP.800-60v2r1'. + A FedRAMP SSP information-type categorization MUST have a correct system attribute. FedRAMP only supports the system value 'https://doi.org/10.6028/NIST.SP.800-60v2r1'. + Categorization Has Information Type ID A FedRAMP SSP information type categorization MUST have at least one information type identifier. + Cia Impact Has Adjustment Justification When SP 800-60 base and selected impacts levels differ for a given information type, the SSP MUST include a justification for the difference. + Cia Impact Has Selected A FedRAMP SSP information type confidentiality, integrity, or availability impact MUST specify the selected impact. + Has Authenticator Assurance Level A FedRAMP SSP MUST define its NIST SP 800-63 authenticator assurance level (AAL). + Has Authorization Boundary Diagram A FedRAMP SSP MUST have at least one authorization boundary diagram. + Has Authorization Boundary Diagram Caption Each FedRAMP SSP authorization boundary diagram MUST have a caption. + Has Authorization Boundary Diagram Description A FedRAMP SSP document authorization boundary diagram MUST have a description. + Has Authorization Boundary Diagram Link Each FedRAMP SSP authorization boundary diagram MUST have a link. + Has Authorization Boundary Diagram Link Rel Each FedRAMP SSP authorization boundary diagram MUST have a link rel attribute. + Has Authorization Boundary Diagram Link Rel Allowed Value Each FedRAMP SSP authorization boundary diagram MUST have a link rel attribute with the value "diagram". + Has Configuration Management Plan A FedRAMP SSP MUST have a Configuration Management Plan attached. + Has Data Flow A FedRAMP SSP MUST include a data flow section. + Has Data Flow Description An OSCAL SSP document with a data flow MUST have a description. + Has Data Flow Diagram A FedRAMP SSP MUST have at least one data flow diagram. + Has Data Flow Diagram Caption Each FedRAMP SSP data flow diagram MUST have a caption. + Has Data Flow Diagram Description Each FedRAMP SSP data flow diagram MUST have a description. + Has Data Flow Diagram Link Each FedRAMP SSP data flow diagram MUST have a link. + Has Data Flow Diagram Link Rel Each FedRAMP SSP data flow diagram MUST have a link rel attribute. + Has Data Flow Diagram Link Rel Allowed Value Each FedRAMP SSP data flow diagram MUST have a link rel attribute with the value "diagram". + Has Data Flow Diagram Uuid An OSCAL SSP document with a data flow diagram MUST have a unique identifier. + Has Federation Assurance Level A FedRAMP SSP MUST define its NIST SP 800-63 federation assurance level (FAL). + Has Identity Assurance Level A FedRAMP SSP MUST define its NIST SP 800-63 identity assurance level (IAL). + Has Incident Response Plan A FedRAMP SSP MUST have an Incident Response Plan attached. + Has Information System Contingency Plan A FedRAMP SSP MUST have a Contingency Plan attached. + Has Network Architecture A FedRAMP SSP MUST include a network architecture. + Has Network Architecture Diagram A FedRAMP SSP MUST have at least one network architecture diagram. + Has Network Architecture Diagram Caption Each FedRAMP SSP network architecture diagram MUST have a caption. + Has Network Architecture Diagram Description Each FedRAMP SSP network architecture diagram MUST have a description. + Has Network Architecture Diagram Link Each FedRAMP SSP network architecture diagram MUST have a link. + Has Network Architecture Diagram Link Rel Each FedRAMP SSP network architecture diagram MUST have a link rel attribute. + Has Network Architecture Diagram Link Rel Allowed Value Each FedRAMP SSP network architecture diagram MUST have a link rel attribute with the value "diagram". + Has Rules Of Behavior A FedRAMP SSP MUST have Rules of Behavior. - A FedRAMP SSP document MUST specify a security impact level. + Has Security Impact Level + A FedRAMP SSP document MUST specify a security impact level. - A FedRAMP SSP document MUST specify a FIPS 199 categorization. + Has Security Sensitivity Level + A FedRAMP SSP document MUST specify a FIPS 199 categorization. + Has Separation Of Duties Matrix + + A FedRAMP SSP MUST have a Separation of Duties Matrix attached. + Has System Id A FedRAMP SSP MUST have a FedRAMP system identifier. + Has System Name Short A FedRAMP SSP MUST have a short system name. + Has User Guide A FedRAMP SSP MUST have a User Guide attached. - + + Import Profile Has Href Attribute A FedRAMP SSP MUST import a profile or catalog with a valid file or HTTP(S) address. - + + Import Profile Has Valid Content A FedRAMP SSP MUST import a profile or catalog of security controls to reference implemented requirements against those control(s). - -

A FedRAMP SSP MUST use a valid FedRAMP catalog to reference security controls. It MUST NOT reference controls from a non-FedRAMP catalog.

- + Information Type Has Availability Impact A FedRAMP SSP information type MUST have an availability impact. + Information Type Has Confidentiality Impact A FedRAMP SSP information type MUST have a confidentiality impact. + Information Type Has Integrity Impact A FedRAMP SSP information type MUST have an integrity impact. + Resource Has Base64 Or Rlink Every supporting artifact found in a citation MUST have at least one base64 or rlink element. + Resource Has Title Every supporting artifact found in a citation SHOULD have a title. + Security Sensitivity Level Matches Security Impact Level A FedRAMP SSP SHOULD define its FIPS-199 security sensitivity level to match the highest security impact level for the system's confidentiality, integrity, and availability objectives. @@ -268,6 +322,7 @@ + Missing Response Components Each implemented requirement MUST have at least one by-component reference to the source component implementing it. @@ -278,15 +333,18 @@ - + Data Center Alternate + There MUST be one or more alternate data center(s). - + Data Center Count + There MUST be at least two (2) data centers listed. - + Data Center Primary + There MUST be a single primary data center. @@ -295,18 +353,24 @@ + Responsible Party Is Person For roles 'system-owner' and 'information-system-security-officer', the responsible-role party MUST be a party of type 'person'. + Role Defined Authorizing Official POC + + A FedRAMP SSP MUST define a role for the point of contact for an authorizing official. + Role Defined Information System Security Officer A FedRAMP SSP MUST define a role for the point of contact for an information system security officer. + Role Defined System Owner A FedRAMP SSP MUST define the system owner role. @@ -317,10 +381,12 @@ + Data Center Has Country Code Each data center address MUST contain a country code. - + + Data Center In United States Each data center MUST have an address that is within the United States. diff --git a/src/validations/constraints/unit-tests/data-center-us-FAIL.yaml b/src/validations/constraints/unit-tests/data-center-us-FAIL.yaml index 1b206c18c..3b1f17186 100644 --- a/src/validations/constraints/unit-tests/data-center-us-FAIL.yaml +++ b/src/validations/constraints/unit-tests/data-center-us-FAIL.yaml @@ -1,7 +1,7 @@ test-case: - name: Negative Test for data-center-US - description: This test case validates the behavior of constraint data-center-US - content: ../content/ssp-data-center-US-INVALID.xml + name: Negative Test for data-center-us + description: This test case validates the behavior of constraint data-center-us + content: ../content/ssp-data-center-us-INVALID.xml expectations: - - constraint-id: data-center-US + - constraint-id: data-center-us result: fail diff --git a/src/validations/constraints/unit-tests/data-center-us-PASS.yaml b/src/validations/constraints/unit-tests/data-center-us-PASS.yaml index 571133b63..ea5817d96 100644 --- a/src/validations/constraints/unit-tests/data-center-us-PASS.yaml +++ b/src/validations/constraints/unit-tests/data-center-us-PASS.yaml @@ -1,7 +1,7 @@ test-case: - name: Positive Test for data-center-US - description: This test case validates the behavior of constraint data-center-US + name: Positive Test for data-center-us + description: This test case validates the behavior of constraint data-center-us content: ../content/ssp-all-VALID.xml expectations: - - constraint-id: data-center-US + - constraint-id: data-center-us result: pass diff --git a/src/validations/constraints/STYLE.md b/src/validations/styleguides/STYLE.md similarity index 100% rename from src/validations/constraints/STYLE.md rename to src/validations/styleguides/STYLE.md diff --git a/src/validations/styleguides/fedramp-constraint-style.xml b/src/validations/styleguides/fedramp-constraint-style.xml new file mode 100644 index 000000000..8c1f1ea43 --- /dev/null +++ b/src/validations/styleguides/fedramp-constraint-style.xml @@ -0,0 +1,57 @@ + + + + + + + + + + + + + Constraints Have a Help URL Property + + A FedRAMP constraint MUST define a help URL. + + + + Constraints Have a Unique ID + + A FedRAMP constraint MUST have an id. + + + Constraints Have IDs with Lower Case Letters, Numbers, and Dashes + + A FedRAMP constraint id MUST only consist of lowercase letters, numbers 0-9, or "-" characters. + + + Constraints Have an Explicit Severity Level + + A FedRAMP constraint MUST specify a valid severity level. + + + Expect Constraint Message Field Required + + A FedRAMP constraint MUST include a message describing the requirement. + + + IETF BCP14 Keywords in Constraint Messages + + A FedRAMP constraint MUST include one of the IETF BCP14 keywords in the message. + + + Constraints Formal Names Required + + A FedRAMP constraint MUST include a formal name. + + + + + \ No newline at end of file