From 8c1a343b60cc162ab325b9a9ee75aab9cca01bfd Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Thu, 9 Jan 2025 11:45:37 -0500
Subject: [PATCH] Add new metapath target to 'security-level' constraint
 (#1079)

---
 .../constraints/content/ssp-security-level-INVALID.xml   | 9 +++++++++
 .../constraints/fedramp-external-allowed-values.xml      | 5 +++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/validations/constraints/content/ssp-security-level-INVALID.xml b/src/validations/constraints/content/ssp-security-level-INVALID.xml
index 33d9cdaef..fa4f426b4 100644
--- a/src/validations/constraints/content/ssp-security-level-INVALID.xml
+++ b/src/validations/constraints/content/ssp-security-level-INVALID.xml
@@ -24,4 +24,13 @@
       <security-objective-availability>INVALID-fips-199-moderate</security-objective-availability>
     </security-impact-level>
   </system-characteristics>
+  <system-implementation>
+    <leveraged-authorization uuid="11111111-2222-4000-8000-019000000001">
+      <prop ns="http://fedramp.gov/ns/oscal" name="impact-level" value="INVALID-fips-199-moderate">
+        <remarks>
+          <p>For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records based on the "leveraged-system-identifier" property's value.</p>
+        </remarks>
+      </prop>
+    </leveraged-authorization>
+  </system-implementation>
 </system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml
index 592df480c..4e2013a05 100644
--- a/src/validations/constraints/fedramp-external-allowed-values.xml
+++ b/src/validations/constraints/fedramp-external-allowed-values.xml
@@ -647,9 +647,10 @@
         <metapath target="/system-security-plan/system-characteristics/security-sensitivity-level"/>
         <metapath target="/system-security-plan/system-characteristics/security-impact-level/(security-objective-confidentiality|security-objective-integrity|security-objective-availability)"/>
         <metapath target="/system-security-plan/system-characteristics/system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)"/>
+        <metapath target="/system-security-plan/system-implementation/leveraged-authorization"/>
         <constraints>
-
-            <allowed-values id="security-level" target="." allow-other="no" level="ERROR">
+            <let var="security-level-target" expression="if (prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']) then prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']/@value else ."/>
+            <allowed-values id="security-level" target="$security-level-target" allow-other="no" level="ERROR">
                 <formal-name>Security Impact Level</formal-name>
                 <description>The security objective level as defined by <a href="https://doi.org/10.6028/NIST.SP.800-60v1r1">NIST SP 800-60</a>.
                 </description>