SSP Control Implementation constraints development

[Rene2mt]

This is a ...

improvement - something could be better

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)

User Story

As a FedRAMP stakeholder, I need to use FedRAMP's external constraints so that I can make sure my OSCAL SSP control-implementation content is valid in accordance with FedRAMP requirements.

Goals

The goal is to ensure the following FedRAMP validations are either developed as Metaschema-based constraints or dropped.

• incomplete-all-implemented-requirements
• extraneous-implemented-requirements
• leveraged-PE-controls-implemented-requirement
• control-origination
• control-implementation-status
• missing-response-components
• extraneous-response-description
• extraneous-response-remarks
• has-unique-policy-and-procedure
• incomplete-response-description
• invalid-implementation-status
• DNSSEC-described
• configuration-management-controls-described
• incomplete-response-remarks
• implemented-requirement-has-responsible-role
• implemented-requirement-has-implementation-status
• implemented-requirement-has-planned-completion-date
• implemented-requirement-has-control-origination
• implemented-requirement-has-allowed-control-origination
• implemented-requirement-has-leveraged-authorization
• partial-implemented-requirement-has-plan
• implemented-requirement-has-allowed-composite-implementation-status
• set-parameter-elements-match-baseline
• remote-multi-factor-authentication-described
• set-parameter-elements-match-baseline1
• implemented-requirement-has-allowed-implementation-status
• implemented-requirement-has-implementation-status-remarks
• planned-completion-date-is-not-past
• planned-completion-date-is-valid
• uses-correct-param-value

Dependencies

No response

Acceptance Criteria

• Metaschema-based external constraint is developed

• External constraint has PASS & FAIL unit tests

• Unit test content (e.g., valid and invalid SSP) is provided

• Constraints testing harness produces expected results when unit tests are run

• The constraint is documented and mentioned in the https://automate.fedramp.gov/documentation site (confirm by reviewing SSP sub-pages)

• All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.

• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

Other information

No response