Skip to content

Commit

Permalink
add additional sample content (#1081)
Browse files Browse the repository at this point in the history
  • Loading branch information
@wandmagic
wandmagic authored Jan 9, 2025
1 parent 1f55a73 commit 608080d
Show file tree
Hide file tree
Showing 5 changed files with 196 additions and 9 deletions.
48 changes: 41 additions & 7 deletions src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2535,8 +2535,9 @@ SSP authors must add implmentations for all required controls.
<value>at least every 3 years</value>
</set-parameter><set-parameter param-id="ac-01_odp.07">
<value>at least annually</value>
</set-parameter><statement statement-id="ac-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000001">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000001">
</set-parameter>
<statement statement-id="ac-1_smt" uuid="11111117-2222-4000-8000-013000000001">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000001">
<description>
<p>Describe how Part a is satisfied within the system.</p>
<p>Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.</p>
Expand Down Expand Up @@ -2566,6 +2567,37 @@ SSP authors must add implmentations for all required controls.
</responsible-role>
</by-component>
</statement>
<statement statement-id="ac-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000001">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8880-014000000001">
<description>
<p>Describe how Part a is satisfied within the system.</p>
<p>Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.</p>
<p>In this case, a link must be provided to the policy.</p>
<p>FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.</p>
</description>
<link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
<link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
<implementation-status state="operational"/>
<responsible-role role-id="system-admin">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
<remarks>
<p>The specified component is the system itself.</p>
<p>Any control implementation response that can not be associated with another component is associated with the component representing the system.</p>
</remarks>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000000012" uuid="11111111-2222-4000-8000-014000000012">
<description>
<p>Describe how this policy component satisfies part a.</p>
<p>Component approach. This links to a component representing the Identity Management and Access Control Policy.</p>
<p>That component contains a link to the policy, so it does not have to be linked here too.</p>
</description>
<implementation-status state="operational"/>
<responsible-role role-id="system-admin">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
</by-component>
</statement>
<statement statement-id="ac-1_smt.a.2" uuid="11111111-2222-4000-8000-013000000002">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000003">
<description>
Expand Down Expand Up @@ -2799,7 +2831,7 @@ SSP authors must add implmentations for all required controls.
</responsible-role>
</by-component>
</statement><statement statement-id="at-1_smt.a" uuid="11111111-2222-4000-8000-013000000008">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000012">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000017">
<description>
<p>Describe how Part a is satisfied.</p>
</description>
Expand Down Expand Up @@ -2869,7 +2901,7 @@ SSP authors must add implmentations for all required controls.
</set-parameter><responsible-role role-id="information-system-security-officer">
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
</responsible-role><statement statement-id="au-1_smt" uuid="11111111-2222-4000-8000-013000000011">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000017">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8800-004000000017">
<description>
<p>Describe how the control is satisfied within the system.</p>
</description>
Expand Down Expand Up @@ -3769,7 +3801,7 @@ SSP authors must add implmentations for all required controls.
<value>All employees, contractors, and third-party vendors who handle sensitive information or have access to organizational media.</value>
</set-parameter><responsible-role role-id="information-system-security-officer">
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
</responsible-role><statement statement-id="_smt" uuid="11111111-2222-4000-8000-013000000039">
</responsible-role><statement statement-id="mp-1_smt" uuid="11111111-2222-4000-8000-013000000039">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000059">
<description>
<p>Describe how the control is satisfied within the system.</p>
Expand All @@ -3784,7 +3816,9 @@ SSP authors must add implmentations for all required controls.
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
</by-component>
</statement><statement statement-id="mp-1_smt.a" uuid="11111111-2222-4000-8000-013000000040">
</statement>

<statement statement-id="mp-1_smt.a" uuid="11111111-2222-4000-8000-013000000040">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000060">
<description>
<p>For the portion of the control satisfied by the service provider, describe <strong>how</strong> the control is met.</p>
Expand Down Expand Up @@ -3854,7 +3888,7 @@ SSP authors must add implmentations for all required controls.
<value>All personnel with access to company facilities or systems, including employees, contractors, and third-party vendors.</value>
</set-parameter><responsible-role role-id="information-system-security-officer">
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
</responsible-role><statement statement-id="_smt" uuid="11111111-2222-4000-8000-013000000043">
</responsible-role><statement statement-id="pe-1_smt" uuid="11111111-2222-4000-8000-013000000043">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000065">
<description>
<p>Describe how the control is satisfied within the system.</p>
Expand Down
33 changes: 33 additions & 0 deletions src/validations/constraints/content/resolved-example-profile.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
<?xml version="1.0" encoding="UTF-8"?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="2a1553a7-2ae5-4669-a260-7c6fe6215170">
<metadata>
<title>Sample</title>
<last-modified>2025-01-08T00:00:00Z</last-modified>
<version>1.0</version>
<oscal-version>1.1.3</oscal-version>
</metadata>
<control id="sample-1">
<title>Sample 1</title>
<part name="statement" id="sample-1_smt">
<part name="item" id="sample-1_smt.a">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point." />
<p>Should be INCLUDED (sample-1_smt.a)</p>
<part name="item" id="sample-1_smt.a.1">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point." />
<p>Should be INCLUDED (sample-1_smt.a.1)</p>
</part>
</part>
</part>

<part id="sample-1_obj" name="assessment-objective">
<part id="sample-1_obj.a" name="assessment-objective">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
<p>this should be EXCLUDED (sample-1_obj.a)</p>
<part id="sample-1_obj.a-1" name="assessment-objective">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
<p>this should be EXCLUDED (sample-1_obj.a-1)</p>
</part>
</part>
</part>
</control>
</catalog>
118 changes: 118 additions & 0 deletions src/validations/constraints/content/ssp-has-required-response-points-VALID.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.4/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
<metadata></metadata>
<import-profile href="resolved-example-profile.xml"/>
<control-implementation>
<description></description>
<implemented-requirement uuid="11111111-2222-4000-8000-012000000001" control-id="unsupported-id">
<prop name="control-origination" ns="http://fedramp.gov/ns/oscal" value="sp-system"/>
<link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
<link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
<set-parameter param-id="ac-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="mp-2_prm_2">
<value>Chief Information Security Officer, Information System Security Officers, and System Administrators</value>
</set-parameter>
<statement statement-id="sample-1_smt" uuid="11111111-2222-4000-8000-013000000008">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000003">
<description>
<p>There</p>
</description>
<prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z"/>
<implementation-status state="partial">
<remarks>
<p>Describe the plan to complete the implementation.</p>
</remarks>
</implementation-status>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000000013" uuid="11111111-2222-4000-8000-014000000004">
<description>
<p>Describe how this policy currently satisfies part a.</p>
</description>
<prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z">
<remarks>
<p>Describe the plan for addressing the missing policy elements.</p>
</remarks>
</prop>
<implementation-status state="partial">
<remarks>
<p>Identify what is currently missing from this policy.</p>
</remarks>
</implementation-status>
</by-component>
</statement>
<statement statement-id="ac-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000001">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000001">
<description>
<p>Describe how Part a is satisfied within the system.</p>
<p>Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.</p>
<p>In this case, a link must be provided to the policy.</p>
<p>FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.</p>
</description>
<link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
<link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
<implementation-status state="operational"/>
<remarks>
<p>The specified component is the system itself.</p>
<p>Any control implementation response that can not be associated with another component is associated with the component representing the system.</p>
</remarks>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000000012" uuid="11111111-2222-4000-8000-014000000002">
<description>
<p>Describe how this policy component satisfies part a.</p>
<p>Component approach. This links to a component representing the Identity Management and Access Control Policy.</p>
<p>That component contains a link to the policy, so it does not have to be linked here too.</p>
</description>
<implementation-status state="operational"/>
</by-component>
</statement>
<statement statement-id="sample-1_smt.a" uuid="11111111-2222-4000-8000-013000000002">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000003">
<description>
<p>There</p>
</description>
<prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z"/>
<implementation-status state="partial">
<remarks>
<p>Describe the plan to complete the implementation.</p>
</remarks>
</implementation-status>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000000013" uuid="11111111-2222-4000-8000-014000000004">
<description>
<p>Describe how this policy currently satisfies part a.</p>
</description>
<prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z">
<remarks>
<p>Describe the plan for addressing the missing policy elements.</p>
</remarks>
</prop>
<implementation-status state="partial">
<remarks>
<p>Identify what is currently missing from this policy.</p>
</remarks>
</implementation-status>
</by-component>
</statement>

<statement statement-id="sample-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000003">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000005">
<description>
<p>Describe how Part b-1 is satisfied.</p>
</description>
<implementation-status state="operational"/>
</by-component>
</statement>
<statement statement-id="ac-1_smt.b.2" uuid="11111111-2222-4000-8000-013000000004">
<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000006">
<description>
<p>Describe how Part b-2 is satisfied.</p>
</description>
<implementation-status state="operational"/>
</by-component>
</statement>
</implemented-requirement>
</control-implementation>
</system-security-plan>
2 changes: 1 addition & 1 deletion src/validations/constraints/fedramp-external-constraints.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
<let var="aggregate-parameters" expression="$resolved-profile//param[prop[@name='aggregates']]/@id"/>
<let var="implemented-parameters-map" expression="map:merge(//set-parameter ! map:entry(@param-id,.))?*"/>
<let var="implemented-statements-map" expression="map:merge(//statement ! map:entry(@statement-id,.))?*"/>
<let var="required-response-points-map" expression="map:merge($resolved-profile//part[@name='statement' and (prop[@name='response-point'])] ! map:entry(@id,.))?*"/>
<let var="required-response-points-map" expression="map:merge($resolved-profile//part[@name='statement' and (.//prop[@name='response-point'])] ! map:entry(@id,.))?*"/>
<index name="index-implemented-statements" target="$implemented-statements-map">
<formal-name>Statements implimented in SSP</formal-name>
<description>This index includes all statements defined in a FedRAMP SSP</description>
Expand Down
4 changes: 3 additions & 1 deletion src/validations/constraints/unit-tests/has-required-response-points-PASS.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ test-case:
description: >-
This test case validates the behavior of constraint
has-required-response-points
content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
content:
- ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
- ../content/ssp-has-required-response-points-VALID.xml
expectations:
- constraint-id: has-required-response-points
result: pass

0 comments on commit 608080d

Please sign in to comment.