Add 'Validation Component' Constraints

features/fedramp_extensions.feature

@@ -41,8 +41,11 @@ Examples:
   | component-has-authentication-method |
   | component-has-diagram-label |
   | component-has-non-provider-responsible-role |
+  | component-has-proof-of-compliance-link |
   | component-has-provider-responsible-role |
   | component-has-used-by-link |
+  | component-has-valid-proof-of-compliance-link |
+  | component-has-validation-reference |
   | component-type |
   | connection-security |
   | control-implementation-status |
@@ -183,6 +186,7 @@ Examples:
   | user-privilege-level |
   | user-sensitivity-level |
   | user-type |
+  | validation-reference-has-correct-format |
 #END_DYNAMIC_CONSTRAINT_IDS
 
 @constraints
@@ -232,8 +236,14 @@ Examples:
   | component-has-diagram-label-PASS.yaml |
   | component-has-non-provider-responsible-role-FAIL.yaml |
   | component-has-non-provider-responsible-role-PASS.yaml |
+  | component-has-proof-of-compliance-link-FAIL.yaml |
+  | component-has-proof-of-compliance-link-PASS.yaml |
   | component-has-used-by-link-FAIL.yaml |
   | component-has-used-by-link-PASS.yaml |
+  | component-has-valid-proof-of-compliance-link-FAIL.yaml |
+  | component-has-valid-proof-of-compliance-link-PASS.yaml |
+  | component-has-validation-reference-FAIL.yaml |
+  | component-has-validation-reference-PASS.yaml |
   | component-responsible-role-references-party-FAIL.yaml |
   | component-responsible-role-references-party-PASS.yaml |
   | component-type-FAIL.yaml |
@@ -516,6 +526,8 @@ Examples:
   | user-sensitivity-level-PASS.yaml |
   | user-type-FAIL.yaml |
   | user-type-PASS.yaml |
+  | validation-reference-has-correct-format-FAIL.yaml |
+  | validation-reference-has-correct-format-PASS.yaml |
 #END_DYNAMIC_TEST_CASES
 
 @style-guide

src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml

@@ -1712,8 +1712,8 @@ compliance (e.g., Module in Process).</p>
       <!-- Provide the validation type for this CM -->
       <prop name="validation-type" value="fips-140-2"/>
       <!-- Provide the certificate number (CMVP #) -->
-      <prop name="validation-reference" value="3928"/>
-      <link rel="validation-details" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3928"/>
+      <prop name="validation-reference" value="4811"/>
+      <link rel="proof-of-compliance" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4811"/>
       <status state="operational"/>
     </component>
     <!-- List all cryptographic modules for Data-in-Transit (DIT) - must referenced by using component(s), provide CMVP #, FIPS validation status, Vendor Name, Module Name, and brief usage description -->
@@ -1731,8 +1731,8 @@ compliance (e.g., Module in Process).</p>
       <!-- Provide the validation type for this CM -->
       <prop name="validation-type" value="fips-140-3"/>
       <!-- Provide the certificate number (CMVP #) -->
-      <prop name="validation-reference" value="3920"/>
-      <link rel="validation-details" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3920"/>
+      <prop name="validation-reference" value="4811"/>
+      <link rel="proof-of-compliance" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4811"/>
       <status state="operational"/>
     </component>
 

src/validations/constraints/content/ssp-component-has-proof-of-compliance-link-INVALID.xml

@@ -0,0 +1,9 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000000" type="validation">
+      <prop ns="http://fedramp.gov/ns/oscal" name="asset-type" value="cryptographic-module"/>
+      <prop name="validation-type" value="fips-140-2"/>
+      <!-- <link rel="proof-of-compliance" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4811"/> Missing proof-of-compliance link. -->
+    </component>
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/content/ssp-component-has-valid-proof-of-compliance-link-INVALID.xml

@@ -0,0 +1,10 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000000" type="validation">
+      <prop ns="http://fedramp.gov/ns/oscal" name="asset-type" value="cryptographic-module"/>
+      <prop name="validation-type" value="fips-140-2"/>
+      <!-- Missing valid proof-of-compliance link. -->
+      <link rel="proof-of-compliance" href="invalid-link"/> 
+    </component>
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/content/ssp-component-has-validation-reference-INVALID.xml

@@ -0,0 +1,9 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000000" type="validation">
+      <prop ns="http://fedramp.gov/ns/oscal" name="asset-type" value="cryptographic-module"/>
+      <prop name="validation-type" value="fips-140-2"/>
+      <!-- <prop name="validation-reference" value="3928"/> Missing validation reference. -->
+    </component>
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/content/ssp-validation-reference-has-correct-format-INVALID.xml

@@ -0,0 +1,10 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000000" type="validation">
+      <prop ns="http://fedramp.gov/ns/oscal" name="asset-type" value="cryptographic-module"/>
+      <prop name="validation-type" value="fips-140-2"/>
+      <!-- Validation reference has incorrect format. -->
+      <prop name="validation-reference" value="abcd"/>
+    </component>
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -5,6 +5,32 @@
     <!-- FedRAMP Extensions -->
     <!-- ================== -->
 
+    <context>
+        <metapath target="//component"/>
+        <constraints>
+            <expect id="component-has-proof-of-compliance-link" target=".[@type='validation' and prop[@name='asset-type' and @value='cryptographic-module'] and prop[@name='validation-type' and @value=('fips-140-2', 'fips-140-3')]]" test="count(link[@rel='proof-of-compliance']) eq 1" level="ERROR">
+                <formal-name>Component Has Proof of Compliance Link</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, a validation component MUST include a proof of compliance link.</message>
+            </expect>
+            <expect id="component-has-valid-proof-of-compliance-link" target=".[@type='validation' and prop[@name='asset-type' and @value='cryptographic-module'] and prop[@name='validation-type' and @value=('fips-140-2', 'fips-140-3')]]/link[@rel='proof-of-compliance']" test="doc-available(@href)" level="ERROR">
+                <formal-name>Component Has Valid Proof of Compliance Link</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, a validation component MUST include a valid proof of compliance link.</message>
+            </expect>
+            <expect id="component-has-validation-reference" target=".[@type='validation' and prop[@name='asset-type' and @value='cryptographic-module'] and prop[@name='validation-type' and @value=('fips-140-2', 'fips-140-3')]]" test="count(prop[@name='validation-reference']) eq 1" level="ERROR">
+                <formal-name>Component Has Validation Reference</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, a validation component MUST include a validation reference.</message>
+            </expect>
+            <expect id="validation-reference-has-correct-format" target=".[@type='validation' and prop[@name='asset-type' and @value='cryptographic-module'] and prop[@name='validation-type' and @value=('fips-140-2', 'fips-140-3')]]/prop[@name='validation-reference']" test="matches(@value, '^\d{4}$')" level="ERROR">
+                <formal-name>Validation Reference Has Correct Format</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, a validation component MUST include a validation reference with the correct 4-digit format.</message>
+            </expect>
+        </constraints>
+    </context>
+
     <context>
         <metapath target="//user"/>
         <constraints>

src/validations/constraints/unit-tests/component-has-proof-of-compliance-link-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-has-proof-of-compliance-link
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-proof-of-compliance-link
+  content: ../content/ssp-component-has-proof-of-compliance-link-INVALID.xml
+  expectations:
+    - constraint-id: component-has-proof-of-compliance-link
+      result: fail

src/validations/constraints/unit-tests/component-has-proof-of-compliance-link-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-has-proof-of-compliance-link
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-proof-of-compliance-link
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: component-has-proof-of-compliance-link
+      result: pass

src/validations/constraints/unit-tests/component-has-valid-proof-of-compliance-link-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-has-valid-proof-of-compliance-link
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-valid-proof-of-compliance-link
+  content: ../content/ssp-component-has-valid-proof-of-compliance-link-INVALID.xml
+  expectations:
+    - constraint-id: component-has-valid-proof-of-compliance-link
+      result: fail

src/validations/constraints/unit-tests/component-has-valid-proof-of-compliance-link-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-has-valid-proof-of-compliance-link
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-valid-proof-of-compliance-link
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: component-has-valid-proof-of-compliance-link
+      result: pass

src/validations/constraints/unit-tests/component-has-validation-reference-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-has-validation-reference
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-validation-reference
+  content: ../content/ssp-component-has-validation-reference-INVALID.xml
+  expectations:
+    - constraint-id: component-has-validation-reference
+      result: fail

src/validations/constraints/unit-tests/component-has-validation-reference-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-has-validation-reference
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-validation-reference
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: component-has-validation-reference
+      result: pass

src/validations/constraints/unit-tests/validation-reference-has-correct-format-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for validation-reference-has-correct-format
+  description: >-
+    This test case validates the behavior of constraint
+    validation-reference-has-correct-format
+  content: ../content/ssp-validation-reference-has-correct-format-INVALID.xml
+  expectations:
+    - constraint-id: validation-reference-has-correct-format
+      result: fail

src/validations/constraints/unit-tests/validation-reference-has-correct-format-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for validation-reference-has-correct-format
+  description: >-
+    This test case validates the behavior of constraint
+    validation-reference-has-correct-format
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: validation-reference-has-correct-format
+      result: pass