GSA/fedramp-automation

Check "prepared by" metadata for a document

Closed this issue · 1 comments

aj-stein-gsa commented

Constraint Task

As a digital authorization package maintainer, to meet FedRAMP requirements, avoid pass-backs, and properly identify who prepared the SSP, I want to know all my documents in the package have properly selected identified who prepared the document or return a passback error.

Intended Outcome

  • A constraint to check the is a role with an ID of "prepared-by". (id="role-defined-prepared-by" level="ERROR")
  • A constraint to check there is a responsible party that is bound to that role. (id="responsible-party-prepared-by" level="ERROR")
  • A constraint to check the the party bound to prepared-by has address information (Embedded address assembly in party or location-uuid with the following minimum fields, "id="responsible-party-prepared-by-location-valid" level="WARNING"):
         <address type="work">
            <addr-line>...</addr-line>
            <city>...</city>
            <state>...</state>
            <postal-code>...</postal-code>
            <!-- country required by other constraints -->
         </address>

Syntax Type

This is required core OSCAL syntax.

Allowed Values

There are no relevant allowed values.

Metapath(s) to Content

/system-security-plan/metadata/role[@id="prepared-by"]
/system-security-plan/metadata/responsible-party[@role-id="prepared-by"]
/system-security-plan/metadata/responsible-party[@role-id="prepared-by"]/@party-uuid
/system-security-plan/metadata/party/location-uuid
/system-security-plan/metadata/party/location-uuid

Purpose of the OSCAL Content

  1. Check completeness of metadata around package document maintainers.

Dependencies

No response

Acceptance Criteria

  • All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
    • Explanation is present and accurate
    • sample content is present and accurate
    • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
  • All constraints associated with the review task have been created
  • The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
  • The constraint conforms to the FedRAMP Constraint Style Guide.
    • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
  • Known good test content is created for unit testing.
  • Known bad test content is created for unit testing.
  • Unit testing is configured to run both known good and known bad test content examples.
  • Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
  • A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
  • This issue is referenced in the PR.

Other information

This task is part of #805.

aj-stein-gsa commented

@Gabeblis, apologies, the requirements mistake is completely on me. See #805 (comment) and the above message for more details. I am going to update the requirements above, but can you also check the embedded address assembly, not just the by-reference location-uuid approach? 🤦