Skip to content
This repository has been archived by the owner on Dec 12, 2023. It is now read-only.

Check for Issue Response Points #38

Merged
merged 1 commit into from
Dec 16, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 56 additions & 2 deletions resources/validations/src/ssp.sch
Original file line number Diff line number Diff line change
Expand Up @@ -211,14 +211,14 @@

<sch:rule context="/o:system-security-plan/o:control-implementation">
<sch:let name="registry" value="$registry-href => lv:registry()"/>
<sch:let name="registry-namespace" value="$registry/f:fedramp-values/f:namespace/f:ns/@ns"/>
<sch:let name="registry-ns" value="$registry/f:fedramp-values/f:namespace/f:ns/@ns"/>
<sch:let name="sensitivity-level" value="/ => lv:sensitivity-level()"/>
<sch:let name="ok-values" value="$registry/f:fedramp-values/f:value-set[@name='control-implementation-status']"/>
<sch:let name="selected-profile" value="$sensitivity-level => lv:profile()"/>
<sch:let name="required-controls" value="$selected-profile/*//o:control"/>
<sch:let name="implemented" value="o:implemented-requirement"/>
<sch:let name="all-missing" value="$required-controls[not(@id = $implemented/@control-id)]"/>
<sch:let name="core-missing" value="$required-controls[o:prop[@name='CORE' and @ns=$registry-namespace] and @id = $all-missing/@id]"/>
<sch:let name="core-missing" value="$required-controls[o:prop[@name='CORE' and @ns=$registry-ns] and @id = $all-missing/@id]"/>
<sch:let name="extraneous" value="$implemented[not(@control-id = $required-controls/@id)]"/>
<sch:report id="each-required-control-report" test="count($required-controls) > 0">The following <sch:value-of select="count($required-controls)"/><sch:value-of select="if (count($required-controls)=1) then ' control' else ' controls'"/> are required: <sch:value-of select="$required-controls/@id"/></sch:report>
<sch:assert role="error" id="incomplete-core-implemented-requirements" test="not(exists($core-missing))">This SSP has not implemented the most important <sch:value-of select="count($core-missing)"/> core<sch:value-of select="if (count($core-missing)=1) then ' control' else ' controls'"/>: <sch:value-of select="$core-missing/@id"/></sch:assert>
Expand All @@ -230,10 +230,64 @@
</sch:rule>

<sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement">
<sch:let name="sensitivity-level" value="/ => lv:sensitivity-level() => lv:if-empty-default('')"/>
<sch:let name="selected-profile" value="$sensitivity-level => lv:profile()"/>
<sch:let name="registry" value="$registry-href => lv:registry()"/>
<sch:let name="registry-ns" value="$registry/f:fedramp-values/f:namespace/f:ns/@ns"/>
<sch:let name="status" value="./o:annotation[@name='implementation-status']/@value"/>
<sch:let name="corrections" value="lv:correct($registry/f:fedramp-values/f:value-set[@name='control-implementation-status'], $status)"/>
<sch:let name="required-response-points" value="$selected-profile/o:catalog//o:part[@name='item' and o:prop[@name='response-point' and @ns=$registry-ns]]"/>
<sch:let name="implemented" value="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement"/>
<sch:let name="missing" value="$required-response-points[not(@id = $implemented/@statement-id)]"/>
<sch:assert role="error" id="invalid-implementation-status" test="not(exists($corrections))">Invalid status '<sch:value-of select="$status"/>' for <sch:value-of select="./@control-id"/>, must be <sch:value-of select="$corrections"/></sch:assert>
<sch:report id="implemented-response-points" test="exists($implemented)"
>This SSP has implemented a statement for each of the following lettered response points for required controls: <sch:value-of select="$implemented/@statement-id"/>.</sch:report>
<sch:assert role="error" id="missing-response-points" test="not(exists($missing))"
>This SSP has not implemented a statement for each of the following lettered response points for required controls: <sch:value-of select="$missing/@id"/>.</sch:assert>
</sch:rule>

<sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement">
<sch:let name="required-components-count" value="1"/>
<sch:let name="required-length" value="20"/>
<sch:let name="components-count" value="./o:by-component => count()"/>
<sch:let name="remarks" value="./o:remarks => normalize-space()"/>
<sch:let name="remarks-length" value="$remarks => string-length()"/>
<sch:assert role="warning" id="missing-response-components" test="$components-count >= $required-components-count"
>Response statements for <sch:value-of select="./@statement-id"/> must have at least <sch:value-of select="$required-components-count"/><sch:value-of select="if (count($components-count)=1) then ' component' else ' components'"/> with a description. There are <sch:value-of select="$components-count"/>.</sch:assert>
</sch:rule>

<sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:description">
<sch:assert role="warning" id="extraneous-response-description" test=". => empty()"
>Response statement <sch:value-of select="../@statement-id"/> has a description not within a component. That was previously allowed, but not recommended. It will soon be syntactically invalid and deprecated.</sch:assert>
</sch:rule>

<sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:remarks">
<sch:assert role="warning" id="extraneous-response-remarks" test=". => empty()"
>Response statement <sch:value-of select="../@statement-id"/> has remarks not within a component. That was previously allowed, but not recommended. It will soon be syntactically invalid and deprecated.</sch:assert>
</sch:rule>

<sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component">
<sch:let name="component-ref" value="./@component-uuid"/>
<sch:assert role="warning" id="invalid-component-match" test="/o:system-security-plan/o:system-implementation/o:component[@uuid = $component-ref] => exists()"
>Response statment <sch:value-of select="../@statement-id"/> with component reference UUID '<sch:value-of select="$component-ref"/>' is not in the system implementation inventory, and cannot be used to define a control.</sch:assert>
<sch:assert role="error" id="missing-component-description" test="./o:description => exists()"
>Response statement <sch:value-of select="../@statement-id"/> has a component, but that component is missing a required description node.</sch:assert>"
</sch:rule>

<sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component/o:description">
<sch:let name="required-length" value="20"/>
<sch:let name="description" value=". => normalize-space()"/>
<sch:let name="description-length" value="$description => string-length()"/>
<sch:assert role="error" id="incomplete-response-description" test="$description-length >= $required-length"
>Response statement component description for <sch:value-of select="../../@statement-id"/> is too short with <sch:value-of select="$description-length"/> characters. It must be <sch:value-of select="$required-length"/> characters long.</sch:assert>
</sch:rule>

<sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component/o:remarks">
<sch:let name="required-length" value="20"/>
<sch:let name="remarks" value=". => normalize-space()"/>
<sch:let name="remarks-length" value="$remarks => string-length()"/>
<sch:assert role="warning" id="incomplete-response-remarks" test="$remarks-length >= $required-length"
>Response statement component remarks for <sch:value-of select="../../@statement-id"/> is too short with <sch:value-of select="$remarks-length"/> characters. It must be <sch:value-of select="$required-length"/> characters long.</sch:assert>
</sch:rule>

<sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement">
Expand Down
Loading