Add security-sensitivity-level-matches-security-impact-level (GSA#786)

* Add security-sensitivity-level-matches-security-impact-level * Modify the message wording * In the message, change MUST to SHOULD
brian-ruf · Nov 8, 2024 · 9e9b001 · 9e9b001
1 parent 0d83da1
commit 9e9b001
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 0 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -143,6 +143,8 @@ Examples:
   | scan-type-PASS.yaml |
   | security-level-FAIL.yaml |
   | security-level-PASS.yaml |
+  | security-sensitivity-level-matches-security-impact-level-FAIL.yaml |
+  | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
   | user-type-FAIL.yaml |
   | user-type-PASS.yaml |
 #END_DYNAMIC_TEST_CASES
@@ -224,5 +226,6 @@ Examples:
   | role-defined-system-owner |
   | scan-type |
   | security-level |
+  | security-sensitivity-level-matches-security-impact-level |
   | user-type |
 #END_DYNAMIC_CONSTRAINT_IDS
diff --git a/...straints/content/ssp-security-sensitivity-level-matches-security-impact-level-INVALID.xml b/...straints/content/ssp-security-sensitivity-level-matches-security-impact-level-INVALID.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-characteristics>
+    <security-sensitivity-level>fips-199-low</security-sensitivity-level>
+    <security-impact-level>
+      <security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
+      <security-objective-integrity>fips-199-moderate</security-objective-integrity>
+      <security-objective-availability>fips-199-moderate</security-objective-availability>
+    </security-impact-level>
+  </system-characteristics>
+
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -45,6 +45,12 @@
     <context>
         <metapath target="/system-security-plan"/>
         <constraints>
+            <let var="security-impact-level" expression=
+                "if (//security-impact-level//* = 'fips-199-high')
+                    then ('fips-199-high')
+                else if (//security-impact-level//* = 'fips-199-moderate')
+                    then ('fips-199-moderate')
+                else ('fips-199-low')"/>
             <expect id="resource-has-title" target="back-matter/resource" test="title" level="WARNING">
                 <message>Every supporting artifact found in a citation should have a title.</message>
             </expect>
@@ -154,6 +160,10 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier"/>
                 <message>A FedRAMP SSP must have a FedRAMP system identifier.</message>
             </expect>
+            <expect id="security-sensitivity-level-matches-security-impact-level" target="system-characteristics/security-sensitivity-level" test=". eq $security-impact-level" level="WARNING">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-sensitivity-level"/>
+                <message>A FedRAMP SSP SHOULD define its FIPS-199 security sensitivity level to match the highest security impact level for the system's confidentiality, integrity, and availability objectives.</message>
+            </expect>
         </constraints>
     </context>
     <context>

diff --git a/...constraints/unit-tests/security-sensitivity-level-matches-security-impact-level-FAIL.yaml b/...constraints/unit-tests/security-sensitivity-level-matches-security-impact-level-FAIL.yaml
@@ -0,0 +1,8 @@
+# Driver for the invalid security-sensitivity-level-matches-security-impact-level constraint unit test.
+test-case:
+  name: The invalid security-sensitivity-level-matches-security-impact-level constraint unit test.
+  description: Test that the SSP "security-sensitivity-level" element value does not match "security-impact-level" values.
+  content: ../content/ssp-security-sensitivity-level-matches-security-impact-level-INVALID.xml
+  expectations:
+  - constraint-id: security-sensitivity-level-matches-security-impact-level
+    result: fail
diff --git a/...constraints/unit-tests/security-sensitivity-level-matches-security-impact-level-PASS.yaml b/...constraints/unit-tests/security-sensitivity-level-matches-security-impact-level-PASS.yaml
@@ -0,0 +1,8 @@
+# Driver for the valid security-sensitivity-level-matches-security-impact-level constraint unit test.
+test-case:
+  name: The valid security-sensitivity-level-matches-security-impact-level constraint unit test.
+  description: Test that the SSP "security-sensitivity-level" element value matches "security-impact-level" values.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+  - constraint-id: security-sensitivity-level-matches-security-impact-level
+    result: pass