GSA · aj-stein-gsa · Dec 3, 2024 · Dec 3, 2024
@@ -111,6 +111,7 @@ Examples:
   | leveraged-authorization-has-valid-impact-level |
   | leveraged-authorization-nature-of-agreement |
   | marking |
+  | misplaced-response-components |  
   | missing-response-components |
   | party-has-name |
   | privilege-level |
@@ -328,6 +329,8 @@ Examples:
   | leveraged-authorization-nature-of-agreement-PASS.yaml |
   | marking-FAIL.yaml |
   | marking-PASS.yaml |
+  | misplaced-response-components-FAIL.yaml |
+  | misplaced-response-components-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
   | party-has-name-FAIL.yaml |

@@ -400,31 +400,31 @@
       <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="implementation-status" value="partial" ns="https://fedramp.gov/ns/oscal"/>
       <statement statement-id="ac-1_stmt.a" uuid="99999999-0000-4000-9000-000000000009">
+        <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a">
+          <description>
+            <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p>
+          </description>
+          <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/>
+          <responsible-role role-id="system-admin">
+            <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+          </responsible-role>
+        </by-component>    
       </statement>
-      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a">
-        <description>
-          <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p>
-        </description>
-        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/>
-        <responsible-role role-id="system-admin">
-          <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-        </responsible-role>
-      </by-component>
     </implemented-requirement>
 
     <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8">
       <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/>
       <statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c">
+        <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="dddddddd-0000-4000-9000-00000000000d">
+          <description>
+            <p>Information System Component Inventory (CM-8) is partially implemented.</p>
+          </description>
+          <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/>
+          <responsible-role role-id="system-admin">
+            <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+          </responsible-role>
+        </by-component>      
       </statement>
-      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="dddddddd-0000-4000-9000-00000000000d">
-        <description>
-          <p>Information System Component Inventory (CM-8) is partially implemented.</p>
-        </description>
-        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/>
-        <responsible-role role-id="system-admin">
-          <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-        </responsible-role>
-      </by-component>
     </implemented-requirement>
   </control-implementation>
 

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <component uuid="55555555-0000-4000-9000-000000000005" type="this-system">
+      <title>System To Be Authorized</title>
+      <description>
+        <p>This component reflects the system to be authorized.</p>
+        <p>A proper SSP should reference this correctly within a given statement to document implemented requirements per FedRAMP requirements.</p>
+        <p>This example SSP does not do that, it's invalid and has some problems.</p>
+      </description>
+    </component>  
+  </system-implementation>
+  <control-implementation>
+    <description>
+      <p>Implementation of controls for the System to be Authorized</p>
+    </description>    
+    <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8">
+      <prop name="control-origination" value="unsupported-origination" ns="https://fedramp.gov/ns/oscal"/>
+      <statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c"/>
+      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="ce9c5b13-c9ea-40bb-bd4e-51e1520a4bce">
+          <description>
+            <p>This component reference would be valid if it was within the <code>statement</code> above, but it is not.</p>
+            <p>This constraint violation for the invalid file should warn users and developers repurposing valid syntax for NIST's upstream OSCAL generic use cases is not valid specifically for FedRAMP.</p>
+          </description>        
+      </by-component>
+    </implemented-requirement>
+  </control-implementation>
+</system-security-plan>
@@ -11,12 +11,14 @@
       <prop name="control-origination" value="unsupported-origination" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="implementation-status" value="unsupported-status" ns="https://fedramp.gov/ns/oscal"/>
       <statement statement-id="ac-1_stmt.a" uuid="99999999-0000-4000-9000-000000000009">
+        <!-- A require by-component reference is missing here, this missing assembly should trigger a constraint violation error. -->
       </statement>
     </implemented-requirement>
 
     <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8">
       <prop name="control-origination" value="unsupported-origination" ns="https://fedramp.gov/ns/oscal"/>
       <statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c">
+        <!-- A require by-component reference is missing here, this missing assembly should trigger a constraint violation error. -->
       </statement>
     </implemented-requirement>
   </control-implementation>

@@ -158,10 +158,19 @@
     <context>
         <metapath target="/system-security-plan/control-implementation"/>
         <constraints>
-            <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0" level="ERROR">
-                <formal-name>Missing Response Components</formal-name>
+            <expect id="misplaced-response-components" target="implemented-requirement" test="count(./by-component) gt 0" level="WARNING">
+                <formal-name>By-Component Reference for Implemented Requirements Misplaced</formal-name>
+                <message>A FedRAMP SSP MUST identify how the system implements each control requirement implemented at the per-statement level, not in other locations allowed for non-FedRAMP use cases.</message>
+                <remarks>
+                    <p>NIST maintains OSCAL models that allow implemented requirements for controls to have references to the implementing components in multiple locations to support multiple use cases.</p>
+                    <p>Despite the flexibility of NIST's upstream OSCAL models, FedRAMP only accepts OSCAL-based SSP with the reference in one of those locations, see <code>missing-response-components</code> for more details about this requirement.</p>
+                    <p>A constraint violation with this warning indicates a given SSP uses one of the valid locations for all NIST use cases, not the only one FedRA</p>
+                </remarks>
+            </expect>        
+            <expect id="missing-response-components" target="implemented-requirement/statement" test="count(./by-component) gt 0" level="ERROR">
+                <formal-name>By-Component Reference for Implemented Requirements Missing</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-overview"/>
-                <message>Each implemented requirement MUST have at least one by-component reference to the source component implementing it.</message>
+                <message>A FedRAMP SSP MUST identify how the system implements each control requirement implemented at the per-statement level and reference any component used to implement it.</message>
             </expect>
         </constraints>
     </context>

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for misplaced-response-components
+  description: >-
+    This test case validates the behavior of constraint
+    misplaced-response-components
+  content: ../content/ssp-misplaced-response-components-INVALID.xml
+  expectations:
+    - constraint-id: misplaced-response-components
+      result: fail
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for misplaced-response-components
+  description: >-
+    This test case validates the behavior of constraint
+    misplaced-response-components
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: misplaced-response-components
+      result: pass