Add new metapath target to 'security-level' constraint (#1079)

Gabeblis · web-flow · commit 8c1a343b60cc · 2025-01-09T11:45:37.000-05:00
diff --git a/src/validations/constraints/content/ssp-security-level-INVALID.xml b/src/validations/constraints/content/ssp-security-level-INVALID.xml
@@ -24,4 +24,13 @@
       <security-objective-availability>INVALID-fips-199-moderate</security-objective-availability>
     </security-impact-level>
   </system-characteristics>
+  <system-implementation>
+    <leveraged-authorization uuid="11111111-2222-4000-8000-019000000001">
+      <prop ns="http://fedramp.gov/ns/oscal" name="impact-level" value="INVALID-fips-199-moderate">
+        <remarks>
+          <p>For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records based on the "leveraged-system-identifier" property's value.</p>
+        </remarks>
+      </prop>
+    </leveraged-authorization>
+  </system-implementation>
 </system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml
@@ -647,9 +647,10 @@
         <metapath target="/system-security-plan/system-characteristics/security-sensitivity-level"/>
         <metapath target="/system-security-plan/system-characteristics/security-impact-level/(security-objective-confidentiality|security-objective-integrity|security-objective-availability)"/>
         <metapath target="/system-security-plan/system-characteristics/system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)"/>
+        <metapath target="/system-security-plan/system-implementation/leveraged-authorization"/>
         <constraints>
-
-            <allowed-values id="security-level" target="." allow-other="no" level="ERROR">
+            <let var="security-level-target" expression="if (prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']) then prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']/@value else ."/>
+            <allowed-values id="security-level" target="$security-level-target" allow-other="no" level="ERROR">
                 <formal-name>Security Impact Level</formal-name>
                 <description>The security objective level as defined by <a href="https://doi.org/10.6028/NIST.SP.800-60v1r1">NIST SP 800-60</a>.
                 </description>
