From 372a8f3b74b83f3671a74d4951b9e1d3981ed3a2 Mon Sep 17 00:00:00 2001
From: "~ . ~" <156969148+wandmagic@users.noreply.github.com>
Date: Thu, 9 Jan 2025 14:54:24 -0500
Subject: [PATCH] Squashed commit of the following:

commit 8c1a343b60cc162ab325b9a9ee75aab9cca01bfd
Author: Gabeblis <gabriel.rodriguez@gsa.gov>
Date:   Thu Jan 9 11:45:37 2025 -0500

    Add new metapath target to 'security-level' constraint (#1079)

commit 608080ddc3697c5de8fdf0488b221146aeadd678
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Thu Jan 9 09:29:17 2025 -0500

    add additional sample content (#1081)

commit 1f55a73df1df93e8e33f5e2d3509a613adf823c3
Author: Gabeblis <gabriel.rodriguez@gsa.gov>
Date:   Thu Jan 9 09:22:28 2025 -0500

    Correct constraint message. (#1085)

commit 18a02c93b47d11c623730fe458feaeae6a2101e4
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Wed Jan 8 09:37:15 2025 -0500

    Hotfix styles (#1076)

    * style guide hotfix

    * Update fedramp-external-constraints.xml

commit 60b3c5077782c17e0decb20863e5468e7b8b0888
Author: DimitriZhurkin <dimitri.zhurkin@noblis.org>
Date:   Wed Jan 8 07:14:14 2025 -0700

    Add the inter-boundary-component-has-information-type constraint (#1066)

    * Add the inter-boundary-component-has-information-type constraint

    * clean up ssp-inter-boundary-component-has-information-type-INVALID.xml

commit d7b06235c1d8779c7a57fc68bf60f92859a30a1d
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Tue Jan 7 14:47:44 2025 -0500

    fix constraints (#1070)

commit fc50a42fe67741fa534a71e8b36600950c02a7fc
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Fri Jan 3 14:21:47 2025 -0500

    hotfix develop (#1064)
---
 .../ssp/xml/fedramp-ssp-example.oscal.xml     |  48 +++++--
 .../content/resolved-example-profile.xml      |  33 +++++
 ...ssp-has-required-response-points-VALID.xml | 118 ++++++++++++++++++
 .../content/ssp-security-level-INVALID.xml    |   9 ++
 .../fedramp-external-allowed-values.xml       |   5 +-
 .../fedramp-external-constraints.xml          |   4 +-
 .../has-required-response-points-PASS.yaml    |   4 +-
 7 files changed, 209 insertions(+), 12 deletions(-)
 create mode 100644 src/validations/constraints/content/resolved-example-profile.xml
 create mode 100644 src/validations/constraints/content/ssp-has-required-response-points-VALID.xml

diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
index 769cc3a18..171d69de9 100644
--- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -2577,8 +2577,9 @@ SSP authors must add implmentations for all required controls.
         <value>at least every 3 years</value>
       </set-parameter><set-parameter param-id="ac-01_odp.07">
         <value>at least annually</value>
-      </set-parameter><statement statement-id="ac-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000001">
-        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000001">
+      </set-parameter>
+      <statement statement-id="ac-1_smt" uuid="11111117-2222-4000-8000-013000000001">
+<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000001">
           <description>
             <p>Describe how Part a is satisfied within the system.</p>
             <p>Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.</p>
@@ -2608,6 +2609,37 @@ SSP authors must add implmentations for all required controls.
                     </responsible-role>
         </by-component>
       </statement>
+      <statement statement-id="ac-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000001">
+        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8880-014000000001">
+          <description>
+            <p>Describe how Part a is satisfied within the system.</p>
+            <p>Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.</p>
+            <p>In this case, a link must be provided to the policy.</p>
+            <p>FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.</p>
+          </description>
+          <link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
+          <link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
+          <implementation-status state="operational"/>
+                    <responsible-role role-id="system-admin">
+                        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+                    </responsible-role>
+          <remarks>
+            <p>The specified component is the system itself.</p>
+            <p>Any control implementation response that can not be associated with another component is associated with the component representing the system.</p>
+          </remarks>
+        </by-component>
+        <by-component component-uuid="11111111-2222-4000-8000-009000000012" uuid="11111111-2222-4000-8000-014000000012">
+          <description>
+            <p>Describe how this policy component satisfies part a.</p>
+            <p>Component approach. This links to a component representing the Identity Management and Access Control Policy.</p>
+            <p>That component contains a link to the policy, so it does not have to be linked here too.</p>
+          </description>
+          <implementation-status state="operational"/>
+                    <responsible-role role-id="system-admin">
+                        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+                    </responsible-role>
+        </by-component>
+      </statement>
       <statement statement-id="ac-1_smt.a.2" uuid="11111111-2222-4000-8000-013000000002">
         <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000003">
           <description>
@@ -2841,7 +2873,7 @@ SSP authors must add implmentations for all required controls.
                     </responsible-role>
         </by-component>
       </statement><statement statement-id="at-1_smt.a" uuid="11111111-2222-4000-8000-013000000008">
-        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000012">
+        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000017">
           <description>
             <p>Describe how Part a is satisfied.</p>
           </description>
@@ -2911,7 +2943,7 @@ SSP authors must add implmentations for all required controls.
       </set-parameter><responsible-role role-id="information-system-security-officer">
         <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
       </responsible-role><statement statement-id="au-1_smt" uuid="11111111-2222-4000-8000-013000000011">
-        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000017">
+        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8800-004000000017">
           <description>
             <p>Describe how the control is satisfied within the system.</p>
           </description>
@@ -3811,7 +3843,7 @@ SSP authors must add implmentations for all required controls.
         <value>All employees, contractors, and third-party vendors who handle sensitive information or have access to organizational media.</value>
       </set-parameter><responsible-role role-id="information-system-security-officer">
         <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
-      </responsible-role><statement statement-id="_smt" uuid="11111111-2222-4000-8000-013000000039">
+      </responsible-role><statement statement-id="mp-1_smt" uuid="11111111-2222-4000-8000-013000000039">
         <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000059">
           <description>
             <p>Describe how the control is satisfied within the system.</p>
@@ -3826,7 +3858,9 @@ SSP authors must add implmentations for all required controls.
                         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
                     </responsible-role>
         </by-component>
-      </statement><statement statement-id="mp-1_smt.a" uuid="11111111-2222-4000-8000-013000000040">
+      </statement>
+      
+      <statement statement-id="mp-1_smt.a" uuid="11111111-2222-4000-8000-013000000040">
         <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000060">
           <description>
             <p>For the portion of the control satisfied by the service provider, describe <strong>how</strong> the control is met.</p>
@@ -3896,7 +3930,7 @@ SSP authors must add implmentations for all required controls.
         <value>All personnel with access to company facilities or systems, including employees, contractors, and third-party vendors.</value>
       </set-parameter><responsible-role role-id="information-system-security-officer">
         <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
-      </responsible-role><statement statement-id="_smt" uuid="11111111-2222-4000-8000-013000000043">
+      </responsible-role><statement statement-id="pe-1_smt" uuid="11111111-2222-4000-8000-013000000043">
         <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000065">
           <description>
             <p>Describe how the control is satisfied within the system.</p>
diff --git a/src/validations/constraints/content/resolved-example-profile.xml b/src/validations/constraints/content/resolved-example-profile.xml
new file mode 100644
index 000000000..ce2dd5bc1
--- /dev/null
+++ b/src/validations/constraints/content/resolved-example-profile.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="2a1553a7-2ae5-4669-a260-7c6fe6215170">
+    <metadata>
+        <title>Sample</title>
+        <last-modified>2025-01-08T00:00:00Z</last-modified>
+        <version>1.0</version>
+        <oscal-version>1.1.3</oscal-version>
+    </metadata>
+    <control id="sample-1">
+        <title>Sample 1</title>
+        <part name="statement" id="sample-1_smt">
+            <part name="item" id="sample-1_smt.a">
+                <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point." />
+                <p>Should be INCLUDED (sample-1_smt.a)</p>
+                <part name="item" id="sample-1_smt.a.1">
+                    <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point." />
+                    <p>Should be INCLUDED (sample-1_smt.a.1)</p>
+                </part>
+            </part>
+        </part>
+
+        <part id="sample-1_obj" name="assessment-objective">
+            <part id="sample-1_obj.a" name="assessment-objective">
+                <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
+                <p>this should be EXCLUDED (sample-1_obj.a)</p>
+                <part id="sample-1_obj.a-1" name="assessment-objective">
+                    <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
+                    <p>this should be EXCLUDED (sample-1_obj.a-1)</p>
+                </part>
+            </part>
+        </part>
+    </control>
+</catalog>
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-has-required-response-points-VALID.xml b/src/validations/constraints/content/ssp-has-required-response-points-VALID.xml
new file mode 100644
index 000000000..c32acfbf1
--- /dev/null
+++ b/src/validations/constraints/content/ssp-has-required-response-points-VALID.xml
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-model href="https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.4/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+<metadata></metadata>
+     <import-profile href="resolved-example-profile.xml"/>
+     <control-implementation>
+     <description></description>
+         <implemented-requirement uuid="11111111-2222-4000-8000-012000000001" control-id="unsupported-id">
+            <prop name="control-origination" ns="http://fedramp.gov/ns/oscal" value="sp-system"/>
+            <link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
+            <link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
+            <set-parameter param-id="ac-1_prm_1">
+                <value>organization-defined personnel or roles</value>
+            </set-parameter>
+                        <set-parameter param-id="mp-2_prm_2">
+                <value>Chief Information Security Officer, Information System Security Officers, and System Administrators</value>
+            </set-parameter>
+                        <statement statement-id="sample-1_smt" uuid="11111111-2222-4000-8000-013000000008">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000003">
+                    <description>
+                        <p>There</p>
+                    </description>
+                    <prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z"/>
+                    <implementation-status state="partial">
+                        <remarks>
+                            <p>Describe the plan to complete the implementation.</p>
+                        </remarks>
+                    </implementation-status>
+                </by-component>
+                <by-component component-uuid="11111111-2222-4000-8000-009000000013" uuid="11111111-2222-4000-8000-014000000004">
+                    <description>
+                        <p>Describe how this policy currently satisfies part a.</p>
+                    </description>
+                    <prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z">
+                        <remarks>
+                            <p>Describe the plan for addressing the missing policy elements.</p>
+                        </remarks>
+                    </prop>
+                    <implementation-status state="partial">
+                        <remarks>
+                            <p>Identify what is currently missing from this policy.</p>
+                        </remarks>
+                    </implementation-status>
+                </by-component>
+            </statement>
+            <statement statement-id="ac-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000001">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000001">
+                    <description>
+                        <p>Describe how Part a is satisfied within the system.</p>
+                        <p>Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.</p>
+                        <p>In this case, a link must be provided to the policy.</p>
+                        <p>FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.</p>
+                    </description>
+                    <link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
+                    <link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
+                    <implementation-status state="operational"/>
+                    <remarks>
+                        <p>The specified component is the system itself.</p>
+                        <p>Any control implementation response that can not be associated with another component is associated with the component representing the system.</p>
+                    </remarks>
+                </by-component>
+                <by-component component-uuid="11111111-2222-4000-8000-009000000012" uuid="11111111-2222-4000-8000-014000000002">
+                    <description>
+                        <p>Describe how this policy component satisfies part a.</p>
+                        <p>Component approach. This links to a component representing the Identity Management and Access Control Policy.</p>
+                        <p>That component contains a link to the policy, so it does not have to be linked here too.</p>
+                    </description>
+                    <implementation-status state="operational"/>
+                </by-component>
+            </statement>
+            <statement statement-id="sample-1_smt.a" uuid="11111111-2222-4000-8000-013000000002">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000003">
+                    <description>
+                        <p>There</p>
+                    </description>
+                    <prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z"/>
+                    <implementation-status state="partial">
+                        <remarks>
+                            <p>Describe the plan to complete the implementation.</p>
+                        </remarks>
+                    </implementation-status>
+                </by-component>
+                <by-component component-uuid="11111111-2222-4000-8000-009000000013" uuid="11111111-2222-4000-8000-014000000004">
+                    <description>
+                        <p>Describe how this policy currently satisfies part a.</p>
+                    </description>
+                    <prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z">
+                        <remarks>
+                            <p>Describe the plan for addressing the missing policy elements.</p>
+                        </remarks>
+                    </prop>
+                    <implementation-status state="partial">
+                        <remarks>
+                            <p>Identify what is currently missing from this policy.</p>
+                        </remarks>
+                    </implementation-status>
+                </by-component>
+            </statement>
+
+            <statement statement-id="sample-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000003">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000005">
+                    <description>
+                        <p>Describe how Part b-1 is satisfied.</p>
+                    </description>
+                    <implementation-status state="operational"/>
+                </by-component>
+            </statement>
+            <statement statement-id="ac-1_smt.b.2" uuid="11111111-2222-4000-8000-013000000004">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000006">
+                    <description>
+                        <p>Describe how Part b-2 is satisfied.</p>
+                    </description>
+                    <implementation-status state="operational"/>
+                </by-component>
+            </statement>
+        </implemented-requirement>
+    </control-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-security-level-INVALID.xml b/src/validations/constraints/content/ssp-security-level-INVALID.xml
index 33d9cdaef..fa4f426b4 100644
--- a/src/validations/constraints/content/ssp-security-level-INVALID.xml
+++ b/src/validations/constraints/content/ssp-security-level-INVALID.xml
@@ -24,4 +24,13 @@
       <security-objective-availability>INVALID-fips-199-moderate</security-objective-availability>
     </security-impact-level>
   </system-characteristics>
+  <system-implementation>
+    <leveraged-authorization uuid="11111111-2222-4000-8000-019000000001">
+      <prop ns="http://fedramp.gov/ns/oscal" name="impact-level" value="INVALID-fips-199-moderate">
+        <remarks>
+          <p>For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records based on the "leveraged-system-identifier" property's value.</p>
+        </remarks>
+      </prop>
+    </leveraged-authorization>
+  </system-implementation>
 </system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml
index 592df480c..4e2013a05 100644
--- a/src/validations/constraints/fedramp-external-allowed-values.xml
+++ b/src/validations/constraints/fedramp-external-allowed-values.xml
@@ -647,9 +647,10 @@
         <metapath target="/system-security-plan/system-characteristics/security-sensitivity-level"/>
         <metapath target="/system-security-plan/system-characteristics/security-impact-level/(security-objective-confidentiality|security-objective-integrity|security-objective-availability)"/>
         <metapath target="/system-security-plan/system-characteristics/system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)"/>
+        <metapath target="/system-security-plan/system-implementation/leveraged-authorization"/>
         <constraints>
-
-            <allowed-values id="security-level" target="." allow-other="no" level="ERROR">
+            <let var="security-level-target" expression="if (prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']) then prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']/@value else ."/>
+            <allowed-values id="security-level" target="$security-level-target" allow-other="no" level="ERROR">
                 <formal-name>Security Impact Level</formal-name>
                 <description>The security objective level as defined by <a href="https://doi.org/10.6028/NIST.SP.800-60v1r1">NIST SP 800-60</a>.
                 </description>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 856cad3df..af1baef6b 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -66,7 +66,7 @@
             <let var="aggregate-parameters" expression="$resolved-profile//param[prop[@name='aggregates']]/@id"/>
             <let var="implemented-parameters-map" expression="map:merge(//set-parameter ! map:entry(@param-id,.))?*"/>          
             <let var="implemented-statements-map" expression="map:merge(//statement ! map:entry(@statement-id,.))?*"/>          
-            <let var="required-response-points-map" expression="map:merge($resolved-profile//part[@name='statement' and (prop[@name='response-point'])] ! map:entry(@id,.))?*"/>          
+            <let var="required-response-points-map" expression="map:merge($resolved-profile//part[@name='statement' and (.//prop[@name='response-point'])] ! map:entry(@id,.))?*"/>          
             <index name="index-implemented-statements" target="$implemented-statements-map">
                 <formal-name>Statements implimented in SSP</formal-name>
                 <description>This index includes all statements defined in a FedRAMP SSP</description>
@@ -151,7 +151,7 @@
             <expect id="leveraged-authorization-has-valid-impact-level" target="//leveraged-authorization/prop[@name='impact-level'][@ns='http://fedramp.gov/ns/oscal']/@value" test=". = $sensitivity-level-floor" level="ERROR">
                 <formal-name>Leveraged Authorization Has Valid Impact Level</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
-                <message>A FedRAMP SSP MUST define the appropriate FIPS-199 impact level (low, moderate, or high) for each leveraged authorization.</message>
+                <message>The FIPS-199 impact level of the leveraged system MUST be the same or higher than the impact level of this system.</message>
             </expect>
             <expect id="non-provider-responsible-role-references-user" target="." test="$non-provider-user-has-function-performed" level="ERROR">
                 <formal-name>Non-Provider Responsible Role References User</formal-name>
diff --git a/src/validations/constraints/unit-tests/has-required-response-points-PASS.yaml b/src/validations/constraints/unit-tests/has-required-response-points-PASS.yaml
index 719e673d1..0f80b159d 100644
--- a/src/validations/constraints/unit-tests/has-required-response-points-PASS.yaml
+++ b/src/validations/constraints/unit-tests/has-required-response-points-PASS.yaml
@@ -3,7 +3,9 @@ test-case:
   description: >-
     This test case validates the behavior of constraint
     has-required-response-points
-  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  content: 
+    - ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+    - ../content/ssp-has-required-response-points-VALID.xml
   expectations:
     - constraint-id: has-required-response-points
       result: pass