GSA · wandmagic · Jan 14, 2025 · Jan 9, 2025
@@ -38,6 +38,7 @@ Examples:
   | cia-impact-has-selected |
   | cloud-service-model |
   | component-has-authentication-method |
+  | component-has-diagram-label |
   | component-has-non-provider-responsible-role |
   | component-has-provider-responsible-role |
   | component-has-used-by-link |
@@ -124,6 +125,7 @@ Examples:
   | interconnection-security |
   | inventory-item-allows-authenticated-scan |
   | inventory-item-and-component-has-public |
+  | inventory-item-has-diagram-label |
   | inventory-item-has-function |
   | inventory-item-has-scan-type |
   | inventory-item-has-valid-mac-address |
@@ -216,6 +218,8 @@ Examples:
   | cloud-service-model-PASS.yaml |
   | component-has-authentication-method-FAIL.yaml |
   | component-has-authentication-method-PASS.yaml |
+  | component-has-diagram-label-FAIL.yaml |
+  | component-has-diagram-label-PASS.yaml |
   | component-has-non-provider-responsible-role-FAIL.yaml |
   | component-has-non-provider-responsible-role-PASS.yaml |
   | component-has-used-by-link-FAIL.yaml |
@@ -388,6 +392,8 @@ Examples:
   | inventory-item-allows-authenticated-scan-PASS.yaml |
   | inventory-item-and-component-has-public-FAIL.yaml |
   | inventory-item-and-component-has-public-PASS.yaml |
+  | inventory-item-has-diagram-label-FAIL.yaml |
+  | inventory-item-has-diagram-label-PASS.yaml |
   | inventory-item-has-function-FAIL.yaml |
   | inventory-item-has-function-PASS.yaml |
   | inventory-item-has-scan-type-FAIL.yaml |

@@ -1041,6 +1041,7 @@ these datails are derived from other content in this SSP.</p>
         <p>An authorized service provided by the Awesome Cloud leveraged authorization.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
       <prop name="implementation-point" value="external"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
@@ -1102,6 +1103,7 @@ leveraged-authorization assembly:</p>
         <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="external"/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="direction" value="outgoing"/>
@@ -1197,6 +1199,7 @@ leveraged-authorization assembly:</p>
       <description>
         <p>An external system to which this system shares an interconnection.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/>
@@ -1285,6 +1288,7 @@ and "system-poc-technical"</p>
         <p>Describe the purpose of the external system/service; specifically, provide reasons
 for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="external"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="direction" value="incoming"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="direction" value="outgoing"/>
@@ -1430,6 +1434,7 @@ here.</p>
         <p>A service provided by an external system other than the leveraged system.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="external"/>
       <!--<prop name="direction" value="outgoing"/>-->
       <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
@@ -1521,7 +1526,7 @@ leveraged-authorization assembly:</p>
         <p>A service provided by an external system other than the leveraged system.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
-
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="internal"/>
       <prop name="public" value="no"/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
@@ -1598,6 +1603,7 @@ property.</p>
       <description>
         <p>None</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="cli"/>
       <prop name="implementation-point" value="internal"/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
@@ -1741,6 +1747,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>FUNCTION: Describe typical component function.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="operating-system"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="vendor-name" value="Vendor Name"/>
@@ -1762,6 +1769,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>FUNCTION: Describe typical component function.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="operating-system"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="vendor-name" value="Vendor Name"/>
@@ -1783,6 +1791,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>FUNCTION: This container image is the base operating system used in the example. A notional CSP, like Awesome Cloud, would update and customize this image for business, reliability, and security needs.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="image"/>
       <prop name="checksum" ns="http://fedramp.gov/ns/oscal" value="504931a74cb58330cafb9f59f5e553af3cc63af205dc955f7f80dc981276def0"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
@@ -1808,6 +1817,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>FUNCTION: Describe typical component function.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="database"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/>
@@ -1830,6 +1840,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>None</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="operating-system"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="baseline-configuration-name" value="Baseline Config. Name"/>
@@ -1841,6 +1852,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>None</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
@@ -1886,6 +1898,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>None</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="appliance"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="web"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="login-url" value="https://admin.offering.com/login"/>
@@ -2268,6 +2281,7 @@ approved.</p>
       <description>
         <p>Email Service</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
@@ -2310,6 +2324,7 @@ approved.</p>
       <description>
         <p>Legacy Example (No implemented-component).</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-01"/>
       <prop name="ipv4-address" value="10.1.1.1"/>
       <prop name="ipv6-address" value="2001:db8:3333:4444:5555:6666:7777:8888"/>
@@ -2364,6 +2379,7 @@ approved.</p>
       <description>
         <p>Component Inventory Example</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-02"/>
       <prop name="ipv4-address" value="10.2.2.2"/>
       <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a02:0202"/>
@@ -2407,6 +2423,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-03"/>
       <prop name="asset-type" value="web-server"/>
       <prop name="virtual" value="yes"/>
@@ -2429,6 +2446,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-04"/>
       <prop name="asset-type" value="appliance"/>
       <prop name="virtual" value="yes"/>
@@ -2446,6 +2464,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-05"/>
       <prop name="asset-type" value="firewall"/>
       <prop name="ipv4-address" value="10.5.5.5"/>
@@ -2467,6 +2486,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-06"/>
       <prop name="ipv4-address" value="10.6.6.6"/>
       <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a06:0606"/>
@@ -2492,6 +2512,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-07"/>
       <prop name="asset-type" value="switch"/>
       <prop name="ipv4-address" value="10.7.7.7"/>
@@ -2512,6 +2533,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-08"/>
       <prop name="asset-type" value="web-server"/>
       <prop name="ipv4-address" value="10.8.8.8"/>
@@ -2536,6 +2558,7 @@ approved.</p>
       <description>
         <p>Email-Service</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-09"/>
       <prop name="asset-type" value="email-server"/>
       <prop name="ipv4-address" value="10.10.10.100"/>

@@ -0,0 +1,10 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000007" type="hardware">
+      <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. -->
+    </component>
+    <inventory-item uuid="11111111-2222-4000-8000-011000000001">
+      <implemented-component component-uuid="11111111-2222-4000-8000-009000000005"/>
+    </inventory-item>
+  </system-implementation>
+</system-security-plan>
@@ -0,0 +1,10 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000007" type="process-procedure">
+      <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. -->
+    </component>
+    <inventory-item uuid="11111111-2222-4000-8000-011000000001">
+      <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. -->
+    </inventory-item>
+  </system-implementation>
+</system-security-plan>
@@ -586,11 +586,17 @@
         <metapath target="/system-security-plan/system-implementation"/>
         <constraints>
             <let var="inter-boundary-component" expression="component[(@type=('service','software') and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type=('service','software') and prop[@name='implementation-point' and @value='internal'] and (prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']))]"/>
+            <let var="inventory-linked-component-uuids" expression="inventory-item/implemented-component/@component-uuid"/>
             <expect id="authentication-method-has-remarks" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal'])  = count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal']/remarks)" level="ERROR">
                 <formal-name>Authentication Method Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>Each authentication method in a FedRAMP SSP MUST have a remarks field.</message>
             </expect>
+            <expect id="component-has-diagram-label" target="component[not(@uuid=$inventory-linked-component-uuids) and @type=('hardware', 'software', 'service', 'interconnection')]" test="count(prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR">
+                <formal-name>Component Has Diagram Label</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each hardware, software, service, and interconnection component MUST include the diagram label.</message>
+            </expect>
             <expect id="component-has-used-by-link" target="component[protocol]" test="count(link[@rel='used-by']) >= 1" level="ERROR">
                 <formal-name>Component Has Used-By Link</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
@@ -688,6 +694,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>For HIGH-impact systems, every inventory-item MUST identify an asset-owner or administrator property either within the inventory-item itself, or within the component linked by the inventory-item.</message>
             </expect>
+            <expect id="inventory-item-has-diagram-label" target="." test="count(prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
+                <formal-name>Inventory Item Has Diagram Label</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item MUST include the diagram label either in the inventory item itself or within the linked component.</message>
+            </expect>
             <expect id="inventory-item-has-function" target="." test="exists(prop[@name='function']/remarks) or exists($implemented-component/prop[@name='function']/remarks)" level="ERROR">
                 <formal-name>Inventory Item Has Function</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-has-diagram-label
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-diagram-label
+  content: ../content/ssp-component-has-diagram-label-INVALID.xml
+  expectations:
+    - constraint-id: component-has-diagram-label
+      result: fail
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-has-diagram-label
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-diagram-label
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: component-has-diagram-label
+      result: pass
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for inventory-item-has-diagram-label
+  description: >-
+    This test case validates the behavior of constraint
+    inventory-item-has-diagram-label
+  content: ../content/ssp-inventory-item-has-diagram-label-INVALID.xml
+  expectations:
+    - constraint-id: inventory-item-has-diagram-label
+      result: fail
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for inventory-item-has-diagram-label
+  description: >-
+    This test case validates the behavior of constraint
+    inventory-item-has-diagram-label
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: inventory-item-has-diagram-label
+      result: pass