citations check

features/fedramp_extensions.feature

@@ -48,6 +48,7 @@ Examples:
   | deployment-model |
   | external-system-nature-of-agreement |
   | extraneous-implemented-requirements |
+  | fedramp-citations-has-correct-link |
   | fedramp-version |
   | fully-operational-date-is-valid |
   | fully-operational-date-type |
@@ -75,6 +76,7 @@ Examples:
   | has-data-flow-diagram-link-rel-allowed-value |
   | has-data-flow-diagram-uuid |
   | has-federation-assurance-level |
+  | has-fedramp-citations |
   | has-fully-operational-date |
   | has-identity-assurance-level |
   | has-incident-response-plan |
@@ -92,7 +94,6 @@ Examples:
   | has-rules-of-behavior |
   | has-security-impact-level |
   | has-security-sensitivity-level |
-  | has-separation-of-duties-matrix |
   | has-system-id |
   | has-system-name-short |
   | has-user-guide |
@@ -211,6 +212,8 @@ Examples:
   | external-system-nature-of-agreement-PASS.yaml |
   | extraneous-implemented-requirements-FAIL.yaml |
   | extraneous-implemented-requirements-PASS.yaml |
+  | fedramp-citations-has-correct-link-FAIL.yaml |
+  | fedramp-citations-has-correct-link-PASS.yaml |
   | fedramp-version-FAIL.yaml |
   | fedramp-version-PASS.yaml |
   | fully-operational-date-is-valid-FAIL.yaml |
@@ -265,6 +268,8 @@ Examples:
   | has-data-flow-diagram-uuid-PASS.yaml |
   | has-federation-assurance-level-FAIL.yaml |
   | has-federation-assurance-level-PASS.yaml |
+  | has-fedramp-citations-FAIL.yaml |
+  | has-fedramp-citations-PASS.yaml |
   | has-fully-operational-date-FAIL.yaml |
   | has-fully-operational-date-PASS.yaml |
   | has-identity-assurance-level-FAIL.yaml |
@@ -299,8 +304,6 @@ Examples:
   | has-security-impact-level-PASS.yaml |
   | has-security-sensitivity-level-FAIL.yaml |
   | has-security-sensitivity-level-PASS.yaml |
-  | has-separation-of-duties-matrix-FAIL.yaml |
-  | has-separation-of-duties-matrix-PASS.yaml |
   | has-system-id-FAIL.yaml |
   | has-system-id-PASS.yaml |
   | has-system-name-short-FAIL.yaml |

features/steps/fedramp_extensions_steps.ts

@@ -421,7 +421,7 @@ async function checkConstraints(
               `The content may need adjustment to properly test this constraint.`
           );
         }
-        !quiet && console.error(formatSarifOutput(sarifOutput))
+        !quiet && console.error(formatSarifOutput({version:"2.1.0",runs:[{tool:{driver:{name:"oscal-js"}},results:constraintResults}]}))
         errors.push(""); // Add a blank line for readability
       }
     }

src/validations/constraints/content/ssp-fedramp-citations-has-correct-link-INVALID.xml

@@ -0,0 +1,13 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <back-matter>      
+    <!-- FedRAMP Laws -->
+    <resource uuid="11111111-2222-4000-8000-001000000003">
+      <title>FedRAMP Applicable Laws and Regulations</title>
+      <prop name="type" value="citation" class="fedramp-citations" />
+      <rlink href="https://example.com"/>
+      <remarks>
+        <p>Must be present in a FedRAMP SSP.</p>
+      </remarks>
+    </resource>
+    </back-matter>
+</system-security-plan>

src/validations/constraints/content/ssp-has-fedramp-citations-INVALID.xml

@@ -0,0 +1,3 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <back-matter/>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -127,11 +127,21 @@
     <context>
         <metapath target="/system-security-plan/back-matter"/>
         <constraints>
+            <expect id="fedramp-citations-has-correct-link" target="resource[prop[@name='type' and @value='citation' and @class='fedramp-citations']]" test="count(rlink[@href = 'https://www.fedramp.gov/assets/resources/templates/FedRAMP-Laws-Regulations-Standards-and-Guidance-Reference.xlsx']) eq 1" level="ERROR">
+                <formal-name>FedRAMP Citations Has Correct Link</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
+                <message>The FedRAMP Laws, Regulations, Standards and Guidance MUST be https://www.fedramp.gov/assets/resources/templates/FedRAMP-Laws-Regulations-Standards-and-Guidance-Reference.xlsx</message>
+            </expect>
             <expect id="has-configuration-management-plan" target="." test="exists(resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'configuration-management-plan']])" level="ERROR">
                 <formal-name>Has Configuration Management Plan</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
                 <message>A FedRAMP SSP MUST have a Configuration Management Plan attached.</message>
             </expect>
+            <expect id="has-fedramp-citations" target="." test="count(resource[prop[@name='type' and @value='citation' and @class='fedramp-citations']]) = 1" level="ERROR">
+                <formal-name>Has FedRAMP Citations Reference</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
+                <message>A FedRAMP MUST be have exactly one resource with a link to the FedRAMP Laws, Regulations, Standards and Guidance, but {count(resource[prop[@name='type' and @value='citation' and @class='fedramp-citations']])} found.</message>
+            </expect>
             <expect id="has-incident-response-plan" target="." test="exists(resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'incident-response-plan']])" level="ERROR">
                 <formal-name>Has Incident Response Plan</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>

src/validations/constraints/unit-tests/fedramp-citations-has-correct-link-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for fedramp-citations-has-correct-link
+  description: >-
+    This test case validates the behavior of constraint
+    fedramp-citations-has-correct-link
+  content: ../content/ssp-fedramp-citations-has-correct-link-INVALID.xml
+  expectations:
+    - constraint-id: fedramp-citations-has-correct-link
+      result: fail

src/validations/constraints/unit-tests/fedramp-citations-has-correct-link-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for fedramp-citations-has-correct-link
+  description: >-
+    This test case validates the behavior of constraint
+    fedramp-citations-has-correct-link
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: fedramp-citations-has-correct-link
+      result: pass

src/validations/constraints/unit-tests/has-fedramp-citations-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-fedramp-citations
+  description: This test case validates the behavior of constraint has-fedramp-citations
+  content: ../content/ssp-has-fedramp-citations-INVALID.xml
+  expectations:
+    - constraint-id: has-fedramp-citations
+      result: fail

src/validations/constraints/unit-tests/has-fedramp-citations-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-fedramp-citations
+  description: This test case validates the behavior of constraint has-fedramp-citations
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: has-fedramp-citations
+      result: pass