From b526be0f158293aa9c314d14db2d11beb026d731 Mon Sep 17 00:00:00 2001
From: DimitriZhurkin <dimitri.zhurkin@noblis.org>
Date: Mon, 16 Sep 2024 23:05:59 -0600
Subject: [PATCH] Update SSP metadata role constraints (#676) (#686)

* Update SSP metadata role constraints

* Adjust message text to be more approachable, per PR feedback

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>
---
 features/fedramp_extensions.feature                  |  6 ++++++
 .../constraints/content/ssp-all-VALID.xml            |  6 ++++++
 .../constraints/fedramp-external-constraints.xml     | 12 +++++++++---
 .../role-defined-authorizing-official-poc-FAIL.yaml  |  8 ++++++++
 .../role-defined-authorizing-official-poc-PASS.yaml  |  8 ++++++++
 ...ned-information-system-security-officer-FAIL.yaml |  8 ++++++++
 ...ned-information-system-security-officer-PASS.yaml |  8 ++++++++
 7 files changed, 53 insertions(+), 3 deletions(-)
 create mode 100644 src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/role-defined-information-system-security-officer-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/role-defined-information-system-security-officer-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index ee8fd1e33..b37cc75f5 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -69,6 +69,10 @@ Examples:
   | response-point-PASS.yaml |
   | role-defined-system-owner-FAIL.yaml |
   | role-defined-system-owner-PASS.yaml |
+  | role-defined-authorizing-official-poc-FAIL.yaml |
+  | role-defined-authorizing-official-poc-PASS.yaml |
+  | role-defined-information-system-security-officer-FAIL.yaml |
+  | role-defined-information-system-security-officer-PASS.yaml |
   | scan-type-FAIL.yaml |
   | scan-type-PASS.yaml |
   | user-type-FAIL.yaml |
@@ -115,6 +119,8 @@ Examples:
   | resource-has-base64-or-rlink |
   | resource-has-title |
   | role-defined-system-owner |
+  | role-defined-authorizing-official-poc |
+  | role-defined-information-system-security-officer |
   | scan-type |
   | user-type |
 #END_DYNAMIC_CONSTRAINT_IDS
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index b1dc0267a..841061010 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -26,6 +26,12 @@
     <role id="system-owner">
       <title>System Owner</title>
     </role>
+     <role id="authorizing-official-poc">
+       <title>Authorizing Official Point of Contact</title>
+     </role>
+     <role id="information-system-security-officer">
+       <title>Information System Security Officer (or Equivalent)</title>
+     </role>
 
     <location uuid="11111112-0000-4000-9001-000000000009">
       <address >
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 2680bc36c..e0ade5942 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -73,14 +73,20 @@
             <expect id="role-defined-system-owner" target="." test="role[@id eq 'system-owner']" level="ERROR">
                 <message>A FedRAMP SSP must define the system owner role.</message>
             </expect>
+            <expect id="role-defined-authorizing-official-poc" target="." test="role[@id eq 'authorizing-official-poc']" level="ERROR">
+                <message>A FedRAMP SSP must define a role for the point of contact for an authorizing official.</message>
+            </expect>
+            <expect id="role-defined-information-system-security-officer" target="." test="role[@id eq 'information-system-security-officer']" level="ERROR">
+                <message>A FedRAMP SSP must define a role for the point of contact for an information system security officer.</message>
+            </expect>
         </constraints>
     </context>
     <context>
         <metapath target="/system-security-plan/control-implementation"/>
         <constraints>
-        <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0">
-            <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message>
-        </expect>
+            <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0">
+                <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message>
+            </expect>
         </constraints>
     </context>
 </metaschema-meta-constraints>
diff --git a/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-FAIL.yaml b/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-FAIL.yaml
new file mode 100644
index 000000000..04e258437
--- /dev/null
+++ b/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-FAIL.yaml
@@ -0,0 +1,8 @@
+# Driver for the invalid role-defined-authorizing-official-poc constraint unit test.
+test-case:
+  name: The invalid role-defined-authorizing-official-poc constraint unit test.
+  description: Test that SSP metadata does not contain the authorizing-official-poc role.
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+  - constraint-id: role-defined-authorizing-official-poc
+    result: fail
\ No newline at end of file
diff --git a/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-PASS.yaml b/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-PASS.yaml
new file mode 100644
index 000000000..bf0446b56
--- /dev/null
+++ b/src/validations/constraints/unit-tests/role-defined-authorizing-official-poc-PASS.yaml
@@ -0,0 +1,8 @@
+# Driver for the valid role-defined-authorizing-official-poc constraint unit test.
+test-case:
+  name: The valid role-defined-authorizing-official-poc constraint unit test.
+  description: Test that SSP metadata contains the authorizing-official-poc role.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+  - constraint-id: role-defined-authorizing-official-poc
+    result: pass
\ No newline at end of file
diff --git a/src/validations/constraints/unit-tests/role-defined-information-system-security-officer-FAIL.yaml b/src/validations/constraints/unit-tests/role-defined-information-system-security-officer-FAIL.yaml
new file mode 100644
index 000000000..24aee5f5f
--- /dev/null
+++ b/src/validations/constraints/unit-tests/role-defined-information-system-security-officer-FAIL.yaml
@@ -0,0 +1,8 @@
+# Driver for the invalid role-defined-information-system-security-officer constraint unit test.
+test-case:
+  name: The invalid role-defined-information-system-security-officer constraint unit test.
+  description: Test that SSP metadata does not contain the information-system-security-officer role.
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+  - constraint-id: role-defined-information-system-security-officer
+    result: fail
\ No newline at end of file
diff --git a/src/validations/constraints/unit-tests/role-defined-information-system-security-officer-PASS.yaml b/src/validations/constraints/unit-tests/role-defined-information-system-security-officer-PASS.yaml
new file mode 100644
index 000000000..e6400df0a
--- /dev/null
+++ b/src/validations/constraints/unit-tests/role-defined-information-system-security-officer-PASS.yaml
@@ -0,0 +1,8 @@
+# Driver for the valid role-defined-information-system-security-officer constraint unit test.
+test-case:
+  name: The valid role-defined-information-system-security-officer constraint unit test.
+  description: Test that SSP metadata contains the information-system-security-officer role.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+  - constraint-id: role-defined-information-system-security-officer
+    result: pass
\ No newline at end of file