Constrain information-type-id to SP 800-60v2r1 values

resources/validations/src/ssp-additions.sch

@@ -9,9 +9,6 @@
     <sch:ns
         prefix="oscal"
         uri="http://csrc.nist.gov/ns/oscal/1.0" />
-    <sch:ns
-        prefix="fedramp-it"
-        uri="https://fedramp.gov/ns" />
     <sch:ns
         prefix="fedramp"
         uri="https://fedramp.gov/ns/oscal" />
@@ -529,104 +526,118 @@
 
         </sch:rule>
     </sch:pattern>
-    
+
     <sch:pattern
         see="https://github.com/18F/fedramp-automation/blob/master/documents/Guide_to_OSCAL-based_FedRAMP_System_Security_Plans_(SSP).pdf page 11">
-        
+
         <sch:title>SP 800-60v2r1 Information Types:</sch:title>
-        
+
         <sch:rule
             context="oscal:system-information">
-            
+
             <sch:assert
                 id="system-information-has-information-type"
                 role="error"
                 test="oscal:information-type">A FedRAMP OSCAL SSP must specify at least one information-type.</sch:assert>
-            
+
         </sch:rule>
-        
+
         <sch:rule
             context="oscal:information-type">
-            
+
             <sch:assert
                 id="information-type-has-title"
                 role="error"
                 test="oscal:title">A FedRAMP OSCAL SSP information-type must have a title.</sch:assert>
-            
+
             <sch:assert
                 id="information-type-has-description"
                 role="error"
                 test="oscal:description">A FedRAMP OSCAL SSP information-type must have a description.</sch:assert>
-            
+
             <sch:assert
                 id="information-type-has-categorization"
                 role="error"
                 test="oscal:categorization">A FedRAMP OSCAL SSP information-type must have at least one categorization.</sch:assert>
-            
+
             <sch:assert
                 id="information-type-has-confidentiality-impact"
                 role="error"
                 test="oscal:confidentiality-impact">A FedRAMP OSCAL SSP information-type must have a confidentiality-impact.</sch:assert>
-            
+
             <sch:assert
                 id="information-type-has-integrity-impact"
                 role="error"
                 test="oscal:integrity-impact">A FedRAMP OSCAL SSP information-type must have a integrity-impact.</sch:assert>
-            
+
             <sch:assert
                 id="information-type-has-availability-impact"
                 role="error"
                 test="oscal:availability-impact">A FedRAMP OSCAL SSP information-type must have a availability-impact.</sch:assert>
-            
+
         </sch:rule>
-        
+
         <sch:rule
             context="oscal:categorization">
-            
+
             <sch:assert
                 id="categorization-has-system-attribute"
                 role="error"
                 test="@system">A FedRAMP OSCAL SSP information-type categorization must have a system attribute.</sch:assert>
-            
+
             <sch:assert
                 id="categorization-has-correct-system-attribute"
                 role="error"
                 test="@system = 'https://doi.org/10.6028/NIST.SP.800-60v2r1'">A FedRAMP OSCAL SSP information-type categorization must have a correct
                 system attribute. The correct value is "https://doi.org/10.6028/NIST.SP.800-60v2r1".</sch:assert>
-            
+
             <sch:assert
                 id="categorization-has-information-type-id"
                 role="error"
                 test="oscal:information-type-id">A FedRAMP OSCAL SSP information-type categorization must have at least one
                 information-type-id.</sch:assert>
-            
+
             <!-- FIXME: https://github.com/18F/fedramp-automation/blob/master/documents/Guide_to_OSCAL-based_FedRAMP_System_Security_Plans_(SSP).pdf page 11 has schema error -->
             <!--        confidentiality-impact, integrity-impact, availability-impact are children of <information-type> -->
-
-            <!-- FIXME: constrain information-type-id values to SP 800-60v2r1 -->
-
+
         </sch:rule>
-
+
+        <sch:rule
+            context="oscal:information-type-id">
+
+            <sch:p>Information Types</sch:p>
+
+            <sch:let
+                name="information-types"
+                value="doc('file:../../xml/information-types.xml')//fedramp:information-type/@id" />
+
+            <!-- note the variant namespace and associated prefix -->
+            <sch:assert
+                id="has-allowed-information-type-id"
+                test="current()[. = $information-types]">A FedRAMP OSCAL SSP information-type-id must have a SP 800-60v2r1 identifier.</sch:assert>
+
+        </sch:rule>
+
         <sch:rule
             context="oscal:confidentiality-impact | oscal:integrity-impact | oscal:availability-impact">
-            
+
             <sch:assert
                 id="cia-impact-has-base"
                 role="error"
                 test="oscal:base">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact must have a base
                 element.</sch:assert>
-            
+
             <sch:assert
                 id="cia-impact-has-selected"
                 role="error"
                 test="oscal:selected">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact must have a selected
                 element.</sch:assert>
-            
+
         </sch:rule>
-        
+
         <sch:rule
             context="oscal:base | oscal:selected">
-            
+
             <sch:let
                 name="fips-levels"
                 value="('fips-199-low', 'fips-199-moderate', 'fips-199-high')" />
@@ -636,7 +647,7 @@
                 test=". = $fips-levels">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact base or select
                 element must have an approved value.</sch:assert>
         </sch:rule>
-        
+
     </sch:pattern>
 
     <sch:pattern>
@@ -1074,23 +1085,6 @@
 
         </sch:rule>
 
-        <sch:rule
-            context="oscal:system-information/descendant::oscal:information-type-id"
-            see="DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 11">
-
-            <sch:p>Information Types</sch:p>
-
-            <sch:let
-                name="information-types"
-                value="doc('file:../../xml/information-types.xml')" />
-
-            <!-- note the variant namespace and associated prefix -->
-            <sch:assert
-                id="has-allowed-information-type"
-                test="current()[. = $information-types//fedramp-it:information-type/@id]">Invalid information type</sch:assert>
-
-        </sch:rule>
-
     </sch:pattern>
     <sch:diagnostics>
 

resources/validations/test/ssp-additions.xspec

@@ -2279,6 +2279,31 @@
                     label="that is an error" />
             </x:scenario>
 
+            <x:scenario
+                label="has an allowed information-type-id">
+                <x:context>
+                    <categorization
+                        xmlns="http://csrc.nist.gov/ns/oscal/1.0">
+                        <information-type-id>C.2.1.1</information-type-id>
+                    </categorization>
+                </x:context>
+                <x:expect-not-assert
+                    id="has-allowed-information-type-id"
+                    label="that is correct" />
+            </x:scenario>
+            <x:scenario
+                label="lacks an allowed information-type-id">
+                <x:context>
+                    <categorization
+                        xmlns="http://csrc.nist.gov/ns/oscal/1.0">
+                        <information-type-id>X.2.1.1</information-type-id>
+                    </categorization>
+                </x:context>
+                <x:expect-assert
+                    id="has-allowed-information-type-id"
+                    label="that is an error" />
+            </x:scenario>
+
         </x:scenario>
 
         <x:scenario