diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 955fce586..687ca8a83 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -1,5 +1,9 @@ Feature: OSCAL Document Constraints +@style-guide +Scenario Outline: Validating OSCAL constraints with metaschema constraints + Then I should verify that all constraints follow the style guide constraint + @constraints Scenario Outline: Validating OSCAL documents with metaschema constraints Given I have Metaschema extensions documents @@ -208,11 +212,11 @@ Examples: | cloud-service-model | | component-type | | control-implementation-status | - | data-center-US | | data-center-alternate | | data-center-count | | data-center-country-code | | data-center-primary | + | data-center-us | | deployment-model | | fedramp-version | | has-authenticator-assurance-level | diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts index 13574ac84..f6973a0a8 100644 --- a/features/steps/fedramp_extensions_steps.ts +++ b/features/steps/fedramp_extensions_steps.ts @@ -652,4 +652,56 @@ Then("I should have both FAIL and PASS tests for constraint ID {string}", functi constraintId, `Constraint ${constraintId} is not in the extracted constraints list` ); +}); + +Then('I should verify that all constraints follow the style guide constraint', async function () { + const baseDir = join(__dirname, '..', '..'); + const constraintDir = join(baseDir, 'src', 'validations', 'constraints'); + const styleGuidePath = join(baseDir, 'src', 'validations', 'styleguides', 'fedramp-constraint-style.xml'); + + const constraint_files = readdirSync(constraintDir).filter((file) => file.startsWith('fedramp') && file.endsWith('constraints.xml') ); + const errors = []; + + function filterOutBrackets(input) { + return input.replace(/\[.*?\]/g, ''); + } + + for (const file_name of constraint_files) { + const filePath = join(constraintDir, file_name.trim()); + console.log(filePath); + try { + console.log(filePath); + const [result, error] = await executeOscalCliCommand('metaschema', [ + 'validate', + filePath, + '-c', + styleGuidePath, + '--disable-schema-validation' + ]); + + console.log(`Validation result for ${file_name}:`, result); + if (error) { + console.error(`Validation error for ${file_name}:`, error); + } + + const filteredError = filterOutBrackets(error); + if (filteredError) { + errors.push(`Style guide validation failed for ${file_name}: ${filteredError}`); + } + if (result.includes("ERROR")) { + errors.push(`Style guide validation found errors in ${file_name}: ${result}`); + } + } catch (error) { + errors.push(`Error processing ${file_name}: ${error}`); + } + } + + // Display all errors at the end + if (errors.length > 0) { + console.error("Validation errors found:"); + + throw new Error("Style guide validation failed. "+errors.join("\n")); + } + + expect(errors, "No style guide validation errors should be found").to.be.empty; }); \ No newline at end of file diff --git a/package.json b/package.json index b405283d3..0d9c73039 100644 --- a/package.json +++ b/package.json @@ -12,6 +12,7 @@ "test:failed": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js -p rerun", "test:constraints": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @constraints", "test:coverage": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @full-coverage", + "test:style": "cross-env-shell NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @style-guide", "mq": "node ./src/scripts/dev-metaschema-eval.js", "constraint": "node ./src/scripts/dev-constraint.js" }, diff --git a/src/validations/constraints/content/ssp-data-center-country-code-INVALID.xml b/src/validations/constraints/content/ssp-data-center-country-code-INVALID.xml index 217db047c..717365051 100644 --- a/src/validations/constraints/content/ssp-data-center-country-code-INVALID.xml +++ b/src/validations/constraints/content/ssp-data-center-country-code-INVALID.xml @@ -7,7 +7,7 @@
- +
diff --git a/src/validations/constraints/content/ssp-data-center-US-INVALID.xml b/src/validations/constraints/content/ssp-data-center-us-INVALID.xml similarity index 100% rename from src/validations/constraints/content/ssp-data-center-US-INVALID.xml rename to src/validations/constraints/content/ssp-data-center-us-INVALID.xml diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index b79d8aa7d..cb9fac12d 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -12,15 +12,18 @@ - - - - FedRAMP Version - Identifies the FedRAMP version of the document. - FedRAMP Version + + + Address Type + The type of address for the party + + Work + +

FedRAMP requires work addresses.

+ - + Attachment Type Identifies the type of attachment. @@ -62,6 +65,23 @@ + + Authorization Type + The FedRAMP Authorization Type + FedRAMP JAB P-ATO + FedRAMP Agency ATO + FedRAMP Tailored for LI-SaaS + + + + Cloud Service Model + The cloud service model used by the system. + Infrastructure as a Service + Platform as a Service + Software as a Service + Other + + Component Type Identifies the component type. @@ -91,51 +111,6 @@ Not Applicable - - Interconnection Direction - Identifies the direction of information flow for the interconnection. - Incoming - Outgoing - Bi-Directional - - - - Interconnection Security - Identifies the type of security applied to the interconnection. - IPsec - Virtual Private Network - Transport-Layer Security - Transport-Layer Security - Certificate Authentication Security - Secure File Transfer - Other - - - - Scan Type - Identifies the type of scan. - Infrastructure and Operating System Scan - Database Scan - Web Scan - Other - - - Address Type - The type of address for the party - - Work - -

FedRAMP requires work addresses.

- - - - - Authorization Type - The FedRAMP Authorization Type - FedRAMP JAB P-ATO - FedRAMP Agency ATO - FedRAMP Tailored for LI-SaaS - Deployment Model The cloud deployment model. @@ -145,66 +120,13 @@ Hybrid Other - - Authorization Type - The FedRAMP Authorization Type - FedRAMP JAB P-ATO - FedRAMP Agency ATO - FedRAMP Tailored for LI-SaaS - - - User Type - The type of user. - - Internal - External - Privileged - - - Information Type Categorization System - The system used for categorizing information types. - NIST SP 800-60 Volume 2 Revision 1 - - - Privilege Level - The privilege level of the user. - - Read - Read-Write - Write - No Access - - - Cloud Service Model - The cloud service model used by the system. - Infrastructure as a Service - Platform as a Service - Software as a Service - Other + + FedRAMP Version + Identifies the FedRAMP version of the document. + FedRAMP Version - - Virtual - Indicates if the asset is virtual. - Yes - No - - - - Public - Indicates if the asset is exposed to the public Internet. - Yes - No - - - - Allows Authenticated Scan - Indicates if the asset is capable of having an authenticated scan. - Yes - No - - NIST SP 800-60 Volume 2 Revision 1 Information Types Contains a list of all supported information types from NIST SP 800-60 Volume 2 Revision 1. @@ -379,6 +301,71 @@ Industry Sector Income Stabilization + + Information Type Categorization System + The system used for categorizing information types. + NIST SP 800-60 Volume 2 Revision 1 + + + + Interconnection Direction + Identifies the direction of information flow for the interconnection. + Incoming + Outgoing + Bi-Directional + + + + Interconnection Security + Identifies the type of security applied to the interconnection. + IPsec + Virtual Private Network + Transport-Layer Security + Transport-Layer Security + Certificate Authentication Security + Secure File Transfer + Other + + + + Allows Authenticated Scan + Indicates if the asset is capable of having an authenticated scan. + Yes + No + + + + Public + Indicates if the asset is exposed to the public Internet. + Yes + No + + + + Virtual + Indicates if the asset is virtual. + Yes + No + + + + Privilege Level + The privilege level of the user. + + Read + Read-Write + Write + No Access + + + + Scan Type + Identifies the type of scan. + Infrastructure and Operating System Scan + Database Scan + Web Scan + Other + Privilege Level @@ -389,6 +376,7 @@ Write No Access + User Sensitvity Level Sensitivity level of the user. @@ -399,8 +387,17 @@ Limited Not Applicable - + + User Type + The type of user. + + Internal + External + Privileged + + + @@ -408,6 +405,7 @@ + Security Impact Level The security objective level as defined by NIST SP 800-60. @@ -415,7 +413,8 @@ Moderate High + - + \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index 4f41cc490..de35545c6 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -4,10 +4,11 @@ - + + Fedramp Version A FedRAMP document's metadata MUST define a valid FedRAMP version. @@ -22,22 +23,27 @@ + User Has Authorized Privilege A FedRAMP document MUST define a user with at least one authorized privilege by a privilege identifier. + User Has Privilege Level A FedRAMP document MUST define a user with a privilege for their use of the system. + User Has Role ID A FedRAMP document MUST define a user with at least one role by a role identifier. + User Has Sensitivity Level A FedRAMP document MUST define a user with a sensitivity level of their use of the system. + User Has User Type A FedRAMP document MUST define a user with a type. @@ -50,7 +56,9 @@ - Duplicate response point at '{ path(.) }'. + Prop Response Point Has Cardinality One + + MUST NOT have Duplicate response point at '{ path(.) }'.

This appears in FedRAMP profiles and resolved profile catalogs.

@@ -72,189 +80,238 @@ then ('fips-199-moderate') else ('fips-199-low')"/> + Categorization Has Correct System Attribute - A FedRAMP SSP information-type categorization requires a correct system attribute. FedRAMP only supports the system value 'https://doi.org/10.6028/NIST.SP.800-60v2r1'. + A FedRAMP SSP information-type categorization MUST have a correct system attribute. FedRAMP only supports the system value 'https://doi.org/10.6028/NIST.SP.800-60v2r1'. + Categorization Has Information Type ID A FedRAMP SSP information type categorization MUST have at least one information type identifier. + Cia Impact Has Adjustment Justification When SP 800-60 base and selected impacts levels differ for a given information type, the SSP MUST include a justification for the difference. + Cia Impact Has Selected A FedRAMP SSP information type confidentiality, integrity, or availability impact MUST specify the selected impact. + Has Authenticator Assurance Level A FedRAMP SSP MUST define its NIST SP 800-63 authenticator assurance level (AAL). + Has Authorization Boundary Diagram A FedRAMP SSP MUST have at least one authorization boundary diagram. + Has Authorization Boundary Diagram Caption Each FedRAMP SSP authorization boundary diagram MUST have a caption. + Has Authorization Boundary Diagram Description A FedRAMP SSP document authorization boundary diagram MUST have a description. + Has Authorization Boundary Diagram Link Each FedRAMP SSP authorization boundary diagram MUST have a link. + Has Authorization Boundary Diagram Link Rel Each FedRAMP SSP authorization boundary diagram MUST have a link rel attribute. + Has Authorization Boundary Diagram Link Rel Allowed Value Each FedRAMP SSP authorization boundary diagram MUST have a link rel attribute with the value "diagram". + Has Configuration Management Plan A FedRAMP SSP MUST have a Configuration Management Plan attached. + Has Data Flow A FedRAMP SSP MUST include a data flow section. + Has Data Flow Description An OSCAL SSP document with a data flow MUST have a description. + Has Data Flow Diagram A FedRAMP SSP MUST have at least one data flow diagram. + Has Data Flow Diagram Caption Each FedRAMP SSP data flow diagram MUST have a caption. + Has Data Flow Diagram Description Each FedRAMP SSP data flow diagram MUST have a description. + Has Data Flow Diagram Link Each FedRAMP SSP data flow diagram MUST have a link. + Has Data Flow Diagram Link Rel Each FedRAMP SSP data flow diagram MUST have a link rel attribute. + Has Data Flow Diagram Link Rel Allowed Value Each FedRAMP SSP data flow diagram MUST have a link rel attribute with the value "diagram". + Has Data Flow Diagram Uuid An OSCAL SSP document with a data flow diagram MUST have a unique identifier. + Has Federation Assurance Level A FedRAMP SSP MUST define its NIST SP 800-63 federation assurance level (FAL). + Has Identity Assurance Level A FedRAMP SSP MUST define its NIST SP 800-63 identity assurance level (IAL). + Has Incident Response Plan A FedRAMP SSP MUST have an Incident Response Plan attached. + Has Information System Contingency Plan A FedRAMP SSP MUST have a Contingency Plan attached. + Has Network Architecture A FedRAMP SSP MUST include a network architecture. + Has Network Architecture Diagram A FedRAMP SSP MUST have at least one network architecture diagram. + Has Network Architecture Diagram Caption Each FedRAMP SSP network architecture diagram MUST have a caption. + Has Network Architecture Diagram Description Each FedRAMP SSP network architecture diagram MUST have a description. + Has Network Architecture Diagram Link Each FedRAMP SSP network architecture diagram MUST have a link. + Has Network Architecture Diagram Link Rel Each FedRAMP SSP network architecture diagram MUST have a link rel attribute. + Has Network Architecture Diagram Link Rel Allowed Value Each FedRAMP SSP network architecture diagram MUST have a link rel attribute with the value "diagram". + Has Rules Of Behavior A FedRAMP SSP MUST have Rules of Behavior. - A FedRAMP SSP document MUST specify a security impact level. + Has Security Impact Level + A FedRAMP SSP document MUST specify a security impact level. - A FedRAMP SSP document MUST specify a FIPS 199 categorization. + Has Security Sensitivity Level + A FedRAMP SSP document MUST specify a FIPS 199 categorization. + Has Separation Of Duties Matrix + + A FedRAMP SSP MUST have a Separation of Duties Matrix attached. + Has System Id A FedRAMP SSP MUST have a FedRAMP system identifier. + Has System Name Short A FedRAMP SSP MUST have a short system name. + Has User Guide A FedRAMP SSP MUST have a User Guide attached. + Import Profile Has Href Attribute A FedRAMP SSP MUST import a profile or catalog with a valid file or HTTP(S) address. + Import Profile Has Valid Content A FedRAMP SSP MUST import a profile or catalog of security controls to reference implemented requirements against those control(s). + Information Type Has Availability Impact A FedRAMP SSP information type MUST have an availability impact. + Information Type Has Confidentiality Impact A FedRAMP SSP information type MUST have a confidentiality impact. + Information Type Has Integrity Impact A FedRAMP SSP information type MUST have an integrity impact. + Resource Has Base64 Or Rlink Every supporting artifact found in a citation MUST have at least one base64 or rlink element. + Resource Has Title Every supporting artifact found in a citation SHOULD have a title. + Security Sensitivity Level Matches Security Impact Level A FedRAMP SSP SHOULD define its FIPS-199 security sensitivity level to match the highest security impact level for the system's confidentiality, integrity, and availability objectives. @@ -265,6 +322,7 @@ + Missing Response Components Each implemented requirement MUST have at least one by-component reference to the source component implementing it. @@ -275,15 +333,18 @@ - + Data Center Alternate + There MUST be one or more alternate data center(s). - + Data Center Count + There MUST be at least two (2) data centers listed. - + Data Center Primary + There MUST be a single primary data center. @@ -292,18 +353,24 @@ + Responsible Party Is Person For roles 'system-owner' and 'information-system-security-officer', the responsible-role party MUST be a party of type 'person'. + Role Defined Authorizing Official POC + + A FedRAMP SSP MUST define a role for the point of contact for an authorizing official. + Role Defined Information System Security Officer A FedRAMP SSP MUST define a role for the point of contact for an information system security officer. + Role Defined System Owner A FedRAMP SSP MUST define the system owner role. @@ -314,10 +381,12 @@ + Data Center Has Country Code Each data center address MUST contain a country code. - + + Data Center In United States Each data center MUST have an address that is within the United States. diff --git a/src/validations/constraints/unit-tests/data-center-us-FAIL.yaml b/src/validations/constraints/unit-tests/data-center-us-FAIL.yaml index 1b206c18c..3b1f17186 100644 --- a/src/validations/constraints/unit-tests/data-center-us-FAIL.yaml +++ b/src/validations/constraints/unit-tests/data-center-us-FAIL.yaml @@ -1,7 +1,7 @@ test-case: - name: Negative Test for data-center-US - description: This test case validates the behavior of constraint data-center-US - content: ../content/ssp-data-center-US-INVALID.xml + name: Negative Test for data-center-us + description: This test case validates the behavior of constraint data-center-us + content: ../content/ssp-data-center-us-INVALID.xml expectations: - - constraint-id: data-center-US + - constraint-id: data-center-us result: fail diff --git a/src/validations/constraints/unit-tests/data-center-us-PASS.yaml b/src/validations/constraints/unit-tests/data-center-us-PASS.yaml index 571133b63..ea5817d96 100644 --- a/src/validations/constraints/unit-tests/data-center-us-PASS.yaml +++ b/src/validations/constraints/unit-tests/data-center-us-PASS.yaml @@ -1,7 +1,7 @@ test-case: - name: Positive Test for data-center-US - description: This test case validates the behavior of constraint data-center-US + name: Positive Test for data-center-us + description: This test case validates the behavior of constraint data-center-us content: ../content/ssp-all-VALID.xml expectations: - - constraint-id: data-center-US + - constraint-id: data-center-us result: pass diff --git a/src/validations/constraints/STYLE.md b/src/validations/styleguides/STYLE.md similarity index 100% rename from src/validations/constraints/STYLE.md rename to src/validations/styleguides/STYLE.md diff --git a/src/validations/styleguides/fedramp-constraint-style.xml b/src/validations/styleguides/fedramp-constraint-style.xml new file mode 100644 index 000000000..8c1f1ea43 --- /dev/null +++ b/src/validations/styleguides/fedramp-constraint-style.xml @@ -0,0 +1,57 @@ + + + + + + + + + + + + + Constraints Have a Help URL Property + + A FedRAMP constraint MUST define a help URL. + + + + Constraints Have a Unique ID + + A FedRAMP constraint MUST have an id. + + + Constraints Have IDs with Lower Case Letters, Numbers, and Dashes + + A FedRAMP constraint id MUST only consist of lowercase letters, numbers 0-9, or "-" characters. + + + Constraints Have an Explicit Severity Level + + A FedRAMP constraint MUST specify a valid severity level. + + + Expect Constraint Message Field Required + + A FedRAMP constraint MUST include a message describing the requirement. + + + IETF BCP14 Keywords in Constraint Messages + + A FedRAMP constraint MUST include one of the IETF BCP14 keywords in the message. + + + Constraints Formal Names Required + + A FedRAMP constraint MUST include a formal name. + + + + + \ No newline at end of file