Check "prepared by" metadata for a document

[aj-stein-gsa]

Constraint Task

As a digital authorization package maintainer, to meet FedRAMP requirements, avoid pass-backs, and properly identify who prepared the SSP, I want to know all my documents in the package have properly selected identified who prepared the document or return a passback error.

Intended Outcome

• A constraint to check the is a role with an ID of "prepared-by". (id="role-defined-prepared-by" level="ERROR")
• A constraint to check there is a responsible party that is bound to that role. (id="responsible-party-prepared-by" level="ERROR")
• A constraint to check the the party bound to prepared-by has address information (Embedded address assembly in party or location-uuid with the following minimum fields, "id="responsible-party-prepared-by-location-valid" level="WARNING"):

         <address type="work">
            <addr-line>...</addr-line>
            <city>...</city>
            <state>...</state>
            <postal-code>...</postal-code>
            <!-- country required by other constraints -->
         </address>

Syntax Type

This is required core OSCAL syntax.

Allowed Values

There are no relevant allowed values.

Metapath(s) to Content

/system-security-plan/metadata/role[@id="prepared-by"]
/system-security-plan/metadata/responsible-party[@role-id="prepared-by"]
/system-security-plan/metadata/responsible-party[@role-id="prepared-by"]/@party-uuid
/system-security-plan/metadata/party/location-uuid
/system-security-plan/metadata/party/location-uuid

Purpose of the OSCAL Content

1. Check completeness of metadata around package document maintainers.

Dependencies

No response

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
  • Explanation is present and accurate
  • sample content is present and accurate
  • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

This task is part of #805.

[aj-stein-gsa]

@Gabeblis, apologies, the requirements mistake is completely on me. See #805 (comment) and the above message for more details. I am going to update the requirements above, but can you also check the embedded address assembly, not just the by-reference location-uuid approach? 🤦