Add back-matter 'has' constraints

[Gabeblis]

Committer Notes

Description

Added back-matter 'has' constraints and tests for each of the constraints. These should be added as they are part of the effort write all of the constraints from the constraint tracker.

Changes

• Added constraints has-user-guide, has-rules-of-behavior, has-information-system-contingency-plan, has-configuration-management-plan, has-incident-response-plan, has-separation-of-duties-matrix to fedramp-external-constraints.xml.
• Added pass and fail yaml tests for all of the above constraints.
• Edited ssp-all-VALID to ensure all constraints pass correctly.

{Please provide a description of what this PR accomplishes. Be sure to reference any issues addressed. If the PR is a work-in-progress submitted for early review, please submit the PR as a draft PR using the "Draft pull request" dropdown.}

All Submissions:

• Have you selected the correct base branch per Contributing guidance?
• Have you set "Allow edits and access to secrets by maintainers"?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Have you added an explanation of what your changes do and why you'd like us to include them?
• If applicable, have all FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.?
• If applicable, does this PR reference the issue it addresses and explain how it addresses the issue?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

[aj-stein-gsa]

This is all good, do we have docs on automate.fedramp.gov to align with the attachment requirements for a SSP? In the SSP guidance, we call out an interconnection agreement, network diagram, and dataflow diagram, but not many of the attachments needed here.

[Gabeblis]

This is all good, do we have docs on automate.fedramp.gov to align with the attachment requirements for a SSP? In the SSP guidance, we call out an interconnection agreement, network diagram, and dataflow diagram, but not many of the attachments needed here.

All of them except for has-separation-of-duties-matrix are addressed here: https://automate.fedramp.gov/documentation/ssp/5-attachments/
There is an issue (#534) and draft PR (#594) for adding documentation for separation of duties.

[aj-stein-gsa]

This is all good, do we have docs on automate.fedramp.gov to align with the attachment requirements for a SSP? In the SSP guidance, we call out an interconnection agreement, network diagram, and dataflow diagram, but not many of the attachments needed here.

All of them except for has-separation-of-duties-matrix are addressed here: https://automate.fedramp.gov/documentation/ssp/5-attachments/ There is an issue (#534) and draft PR (#594) for adding documentation for separation of duties.

OK then we are in a good place, I will re-review in a bit.

[aj-stein-gsa]

See https://github.com/GSA/fedramp-automation/pull/654/files#r1754412173 for updated review and proposed changes.