Update SSP metadata role constraints (#676) (#686)

* Update SSP metadata role constraints * Adjust message text to be more approachable, per PR feedback --------- Co-authored-by: A.J. Stein <[email protected]>
GSA · Sep 24, 2024 · b526be0 · b526be0
1 parent 1dbf9c2
commit b526be0
Show file tree

Hide file tree

Showing 7 changed files with 53 additions and 3 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -69,6 +69,10 @@ Examples:
   | response-point-PASS.yaml |
   | role-defined-system-owner-FAIL.yaml |
   | role-defined-system-owner-PASS.yaml |
+  | role-defined-authorizing-official-poc-FAIL.yaml |
+  | role-defined-authorizing-official-poc-PASS.yaml |
+  | role-defined-information-system-security-officer-FAIL.yaml |
+  | role-defined-information-system-security-officer-PASS.yaml |
   | scan-type-FAIL.yaml |
   | scan-type-PASS.yaml |
   | user-type-FAIL.yaml |
@@ -115,6 +119,8 @@ Examples:
   | resource-has-base64-or-rlink |
   | resource-has-title |
   | role-defined-system-owner |
+  | role-defined-authorizing-official-poc |
+  | role-defined-information-system-security-officer |
   | scan-type |
   | user-type |
 #END_DYNAMIC_CONSTRAINT_IDS
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -26,6 +26,12 @@
     <role id="system-owner">
       <title>System Owner</title>
     </role>
+     <role id="authorizing-official-poc">
+       <title>Authorizing Official Point of Contact</title>
+     </role>
+     <role id="information-system-security-officer">
+       <title>Information System Security Officer (or Equivalent)</title>
+     </role>
 
     <location uuid="11111112-0000-4000-9001-000000000009">
       <address >

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -73,14 +73,20 @@
             <expect id="role-defined-system-owner" target="." test="role[@id eq 'system-owner']" level="ERROR">
                 <message>A FedRAMP SSP must define the system owner role.</message>
             </expect>
+            <expect id="role-defined-authorizing-official-poc" target="." test="role[@id eq 'authorizing-official-poc']" level="ERROR">
+                <message>A FedRAMP SSP must define a role for the point of contact for an authorizing official.</message>
+            </expect>
+            <expect id="role-defined-information-system-security-officer" target="." test="role[@id eq 'information-system-security-officer']" level="ERROR">
+                <message>A FedRAMP SSP must define a role for the point of contact for an information system security officer.</message>
+            </expect>
         </constraints>
     </context>
     <context>
         <metapath target="/system-security-plan/control-implementation"/>
         <constraints>
-        <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0">
-            <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message>
-        </expect>
+            <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0">
+                <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message>
+            </expect>
         </constraints>
     </context>
 </metaschema-meta-constraints>
diff --git a/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-FAIL.yaml b/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-FAIL.yaml
@@ -0,0 +1,8 @@
+# Driver for the invalid role-defined-authorizing-official-poc constraint unit test.
+test-case:
+  name: The invalid role-defined-authorizing-official-poc constraint unit test.
+  description: Test that SSP metadata does not contain the authorizing-official-poc role.
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+  - constraint-id: role-defined-authorizing-official-poc
+    result: fail
diff --git a/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-PASS.yaml b/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-PASS.yaml
@@ -0,0 +1,8 @@
+# Driver for the valid role-defined-authorizing-official-poc constraint unit test.
+test-case:
+  name: The valid role-defined-authorizing-official-poc constraint unit test.
+  description: Test that SSP metadata contains the authorizing-official-poc role.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+  - constraint-id: role-defined-authorizing-official-poc
+    result: pass
diff --git a/...dations/constraints/unit-tests/role-defined-information-system-security-officer-FAIL.yaml b/...dations/constraints/unit-tests/role-defined-information-system-security-officer-FAIL.yaml
@@ -0,0 +1,8 @@
+# Driver for the invalid role-defined-information-system-security-officer constraint unit test.
+test-case:
+  name: The invalid role-defined-information-system-security-officer constraint unit test.
+  description: Test that SSP metadata does not contain the information-system-security-officer role.
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+  - constraint-id: role-defined-information-system-security-officer
+    result: fail
diff --git a/...dations/constraints/unit-tests/role-defined-information-system-security-officer-PASS.yaml b/...dations/constraints/unit-tests/role-defined-information-system-security-officer-PASS.yaml
@@ -0,0 +1,8 @@
+# Driver for the valid role-defined-information-system-security-officer constraint unit test.
+test-case:
+  name: The valid role-defined-information-system-security-officer constraint unit test.
+  description: Test that SSP metadata contains the information-system-security-officer role.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+  - constraint-id: role-defined-information-system-security-officer
+    result: pass