SSP Leveraged Authorization Component Entries

[brian-ruf]

Constraint Task

As a FedRAMP Reviewer, I need to ensure that any leveraged authorization entries have required content in associated components.

Intended Outcome

• Ensure every leveraged authorization entry is associated with exactly one component of type "system"
• Ensure every "system" component linked to a leveraged authorization has exactly one nature-of-agreement FedRAMP extension property
• Ensure every "system" component linked to a leveraged authorization has at least one information-type FedRAMP extension property
• Ensure every "system" component linked to a leveraged authorization has at least one leveraged authorization users (WARN) ADDED
• Ensure every "system" component linked to a leveraged authorization has exactly one implementation point property, and that it is set to "external" ADDED

Syntax Type

This is a mix of required, optional, and/or extended syntax.

Allowed Values

NIST-allowed values must be extended with FedRAMP allowed values.

Metapath(s) to Content

target="//system-implementation/leveraged-authorization"

count(//system-implementation/component[@type='system' and ./prop[@name='leveraged-authorization-uuid']][@value=./@uuid]) = 1

count(//system-implementation/component[@type='system'  and ./prop[@name='leveraged-authorization-uuid']]/prop[@name='nature-of-agreement' and @ns='http://fedramp.gov/ns/oscal']) = 1

count(//system-implementation/component[@type='system' and ./prop[@name='leveraged-authorization-uuid']]/prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1

count(//system-implementation/component[@type='system' and ./prop[@name='leveraged-authorization-uuid']]/responsible-role[@role-id='leveraged-authorization-users']//party-uuid) >= 1

count(//system-implementation/component[@type='system' and ./prop[@name='leveraged-authorization-uuid']]/prop[@name='implementation-point']) = 1

count(//system-implementation/component[@type='system' and ./prop[@name='leveraged-authorization-uuid']]/prop[@name='implementation-point' and @value = 'external']) = 

Purpose of the OSCAL Content

The content provides information necessary for reviewers to properly evaluate leveraged authorizations. This information is consistent with the requirements of Table 6.1 of the FedRAMP Rev 5 SSP Template.

Dependencies

None

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
  • Explanation is present and accurate
  • sample content is present and accurate
  • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

No response

[brian-ruf]

@Rene2mt please be aware one constraint had an incorrect predicate related to responsible-role

It had:
count(//system-implementation/component[@type='system' and ./prop[@name='implementation-point']]/responsible-role[@role-id='leveraged-authorization-users']//party-uuid) >= 1

I updated it to:
count(//system-implementation/component[@type='system' and ./prop[@name='leveraged-authorization-uuid']]/responsible-role[@role-id='leveraged-authorization-users']//party-uuid) >= 1