GSA · aj-stein-gsa · Sep 11, 2024 · Sep 6, 2024 · Sep 11, 2024
@@ -39,6 +39,18 @@ Examples:
   | data-center-us-PASS.yaml |
   | deployment-mode-FAIL.yaml |
   | deployment-mode-PASS.yaml |
+  | has-configuration-management-plan-FAIL.yaml |
+  | has-configuration-management-plan-PASS.yaml |
+  | has-incident-response-plan-FAIL.yaml |
+  | has-incident-response-plan-PASS.yaml |
+  | has-information-system-contingency-plan-FAIL.yaml |
+  | has-information-system-contingency-plan-PASS.yaml |
+  | has-rules-of-behavior-FAIL.yaml |
+  | has-rules-of-behavior-PASS.yaml |
+  | has-separation-of-duties-matrix-FAIL.yaml |
+  | has-separation-of-duties-matrix-PASS.yaml |
+  | has-user-guide-FAIL.yaml |
+  | has-user-guide-PASS.yaml |
   | information-type-system-FAIL.yaml |
   | information-type-system-PASS.yaml |
   | interconnection-direction-FAIL.yaml |
@@ -84,6 +96,12 @@ Examples:
   | data-center-country-code |
   | data-center-primary |
   | deployment-model |
+  | has-configuration-management-plan |
+  | has-incident-response-plan |
+  | has-information-system-contingency-plan |
+  | has-rules-of-behavior |
+  | has-separation-of-duties-matrix |
+  | has-user-guide |
   | information-type-system |
   | interconnection-direction |
   | interconnection-security |

@@ -205,5 +205,92 @@
       <prop name="type" value="policy" ns="https://fedramp.gov/ns/oscal"/>
       <rlink href="https://example.com/policies/access-control.pdf"/>
     </resource>
+    <resource uuid="90a128ac-c850-48f6-8fff-a55692f80b41">
+      <title>User's Guide</title>
+      <description>
+         <p>User's Guide</p>
+      </description>
+      <prop name="type" value="users-guide"/>
+      <prop name="published" value="2023-01-01T00:00:00Z"/>
+      <rlink href="./documents/guides/sample_guide.pdf"/>
+      <remarks>
+         <p>Table 12-1 Attachments: User's Guide Attachment</p>
+         <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+      </remarks>
+   </resource>
+   <resource uuid="489112e1-57f2-4c29-8dd0-95b1442fbf3b">
+    <title>Document Title</title>
+    <description>
+       <p>Rules of Behavior</p>
+    </description>
+    <prop name="type" value="rules-of-behavior"/>
+    <prop name="published" value="2023-01-01T00:00:00Z"/>
+    <prop name="version" value="Document Version"/>
+    <rlink href="./documents/rob.docx" media-type="application/msword"/>
+    <base64 filename="rob.docx" media-type="application/msword">00000000</base64>
+    <remarks>
+       <p>Table 12-1 Attachments: Rules of Behavior (ROB)</p>
+       <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+    </remarks>
+ </resource>
+ <resource uuid="c7860916-f2f4-43aa-b578-d48cf8e6d381">
+  <title>Document Title</title>
+  <description>
+     <p>Contingency Plan (CP)</p>
+  </description>
+  <prop name="type" value="plan" class="information-system-contingency-plan"/>
+  <prop name="published" value="2023-01-01T00:00:00Z"/>
+  <prop name="version" value="Document Version"/>
+  <rlink href="./documents/cp.docx" media-type="application/msword"/>
+  <base64 filename="cp.docx" media-type="application/msword">00000000</base64>
+  <remarks>
+     <p>Table 12-1 Attachments: Contingency Plan (CP) Attachment</p>
+     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+  </remarks>
+</resource>
+<resource uuid="ab56cf27-0dae-40d6-89b7-d750137309af">
+  <title>Document Title</title>
+  <description>
+     <p>Configuration Management (CM) Plan</p>
+  </description>
+  <prop name="type" value="plan" class="configuration-management-plan"/>
+  <prop name="published" value="2023-01-01T00:00:00Z"/>
+  <prop name="version" value="Document Version"/>
+  <rlink href="./documents/CM_Plan.docx" media-type="application/msword"/>
+  <base64 filename="CM_Plan.docx" media-type="application/msword">00000000</base64>
+  <remarks>
+     <p>Table 12-1 Attachments: Configuration Management (CM) Plan Attachment</p>
+     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+  </remarks>
+</resource>
+<resource uuid="3f771ab5-8016-4571-98d1-f0fb962e15e2">
+  <title>Document Title</title>
+  <description>
+     <p>Incident Response (IR) Plan</p>
+  </description>
+  <prop name="type" value="plan" class="incident-response-plan"/>
+  <prop name="published" value="2023-01-01T00:00:00Z"/>
+  <prop name="version" value="Document Version"/>
+  <rlink href="./documents/IR_Plan.docx" media-type="application/msword"/>
+  <base64 filename="IR_Plan.docx" media-type="application/msword">00000000</base64>
+  <remarks>
+     <p>Table 12-1 Attachments: Incident Response (IR) Plan Attachment</p>
+     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+  </remarks>
+</resource>
+<resource uuid="49fb4631-1da2-41ca-b0b3-e1b1006d4025">
+  <title>Separation of Duties Matrix</title>
+  <description>
+     <p>Separation of Duties Matrix</p>
+  </description>
+  <prop ns="https://fedramp.gov/ns/oscal" name="type" value="separation-of-duties-matrix"/>
+  <prop name="published" value="2023-01-01T00:00:00Z"/>
+  <prop name="version" value="Document Version"/>
+  <rlink href="./documents/Sep_Matrix.docx" media-type="application/msword"/>
+  <base64 filename="Sep_Matrix.docx" media-type="application/msword">00000000</base64>
+  <remarks>
+     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+  </remarks>
+</resource>
   </back-matter>
-</system-security-plan>
+</system-security-plan>
@@ -40,6 +40,24 @@
         <expect id="resource-has-base64-or-rlink" target="back-matter/resource" test="count(./rlink) >= 1 or count(./base64) >= 1" level="WARNING">
             <message>Every supporting artifact found in a citation must have at least one base64 or rlink element.</message>
         </expect>
+        <expect id="has-user-guide" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'users-guide']]" level="ERROR">
+            <message>A FedRAMP SSP must have a User Guide attached.</message>
+        </expect>
+        <expect id="has-rules-of-behavior" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'rules-of-behavior']]" level="ERROR">
+            <message>A FedRAMP SSP must have Rules of Behavior.</message>
+        </expect>
+        <expect id="has-information-system-contingency-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'information-system-contingency-plan']]" level="ERROR">
+            <message>A FedRAMP SSP must have a Contingency Plan attached.</message>
+        </expect>
+        <expect id="has-configuration-management-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'configuration-management-plan']]" level="ERROR">
+            <message>A FedRAMP SSP must have a Configuration Management Plan attached.</message>
+        </expect>
+        <expect id="has-incident-response-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'incident-response-plan']]" level="ERROR">
+            <message>A FedRAMP SSP must have an Incident Response Plan attached.</message>
+        </expect>
+        <expect id="has-separation-of-duties-matrix" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'separation-of-duties-matrix']]" level="ERROR">
+            <message>A FedRAMP SSP must have a Separation of Duties Matrix attached.</message>
+        </expect>
     </constraints>
 </context>
 <context>

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-configuration-management-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-configuration-management-plan
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-configuration-management-plan
+      result: fail
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-configuration-management-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-configuration-management-plan
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-configuration-management-plan
+      result: pass
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-incident-response-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-incident-response-plan
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-incident-response-plan
+      result: fail
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-incident-response-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-incident-response-plan
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-incident-response-plan
+      result: pass
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-information-system-contingency-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-information-system-contingency-plan
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-information-system-contingency-plan
+      result: fail
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-information-system-contingency-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-information-system-contingency-plan
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-information-system-contingency-plan
+      result: pass
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-rules-of-behavior
+  description: This test case validates the behavior of constraint has-rules-of-behavior
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-rules-of-behavior
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-rules-of-behavior
+  description: This test case validates the behavior of constraint has-rules-of-behavior
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-rules-of-behavior
+      result: pass
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-separation-of-duties-matrix
+  description: >-
+    This test case validates the behavior of constraint
+    has-separation-of-duties-matrix
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-separation-of-duties-matrix
+      result: fail
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-separation-of-duties-matrix
+  description: >-
+    This test case validates the behavior of constraint
+    has-separation-of-duties-matrix
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-separation-of-duties-matrix
+      result: pass
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-user-guide
+  description: This test case validates the behavior of constraint has-user-guide
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-user-guide
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-user-guide
+  description: This test case validates the behavior of constraint has-user-guide
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-user-guide
+      result: pass