Feature/fedramp citations

[wandmagic]

Committer Notes

Add FedRAMP SSP OSCAL Validation Constraints for Required Attachments
This PR addresses https://github.com/GSA/fedramp-automation/815 regarding automated completeness checks for OSCAL-based SSPs.

User Story Implementation
Implements automated verification of OSCAL-based SSP completeness through metaschema constraints, specifically:

✓ Added checks for standard FedRAMP attachments (E-Authentication)
✓ Implemented validation for FedRAMP Citations reference

All Submissions:

• Have you selected the correct base branch per Contributing guidance?
• Have you set "Allow edits and access to secrets by maintainers"?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Have you added an explanation of what your changes do and why you'd like us to include them?
• If applicable, have all FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.?
• If applicable, does this PR reference the issue it addresses and explain how it addresses the issue?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

[aj-stein-gsa]

Tangential comment: I just noticed the use of ✓ Unicode char in the checklist instead of the box, slick. 😄

[aj-stein-gsa]

Looks ok, but there are a lot of other constraints that are out of scope for the requirements I see current in #815 and not in develop. I know this is a revived branch so is there more here than just a rebase?

If you want we can discuss quickly in Google Chat or on a call if I am missing something obvious.

[aj-stein-gsa]

Per discussion in chat, can you confirm the PIA constraint and files should be removed and confirm the DIL Worksheet one is the issue I guessed (but appears to be coded with an old attachment approach)? I looked at the backlog what you picked up, the second one I need your help to make an educated guess.

[aj-stein-gsa]

@wandmagic, can you confirm you intended for #812 to be included in the scope of this PR or not? That pertains to the outstanding constrains you asked to change or remove.

[wandmagic]

@wandmagic, can you confirm you intended for #812 to be included in the scope of this PR or not? That pertains to the outstanding constrains you asked to change or remove.

I'm not sure how they got in there, but i removed them for now, sounds like those constraints needed a rework, but i believe whats in here now is fine

[Gabeblis]

Thanks for adding the frr108 style guide constraint. This is good stuff, just a few comments.

[wandmagic]

ok feedback addressed, thanks gabe!

fixed

[aj-stein-gsa]

Blocking: I can find no reference to this in any issue, so can we remove it? I really want to know where the requirement came from, because if it is a historic/soon-to-be-obsolete requirement from previous arch or Rev 4 governance, it is news to me, and I usually don't forgot such stuff. So I've been scratching my head.

Suggested change

	<expect id="has-e-authentication-workflow" target="." test="resource[prop[@name eq 'type' and @class eq 'e-authentication-workflow']]" level="ERROR">
	<formal-name>Has E-Authentication Workflow</formal-name>
	<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
	<message>A FedRAMP SSP MUST have an E-Authentication Workflow diagram attached.</message>
	</expect>

[aj-stein-gsa]

Blocking: remove with its constraint.

[aj-stein-gsa]

Blocking: remove with its constraint.

[aj-stein-gsa]

Blocking: remove with its constraint.

[Gabeblis]

@wandmagic I think some extra files got in here on the rebase, but also this needs to be rebased again