-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Components representing inter-boundary communication need to declare the direction of data flow #930
Components representing inter-boundary communication need to declare the direction of data flow #930
Comments
@aj-stein-gsa / @DimitriZhurkin - it would be best to pause any constraint work dealing with In particular, I am expecting to make the following changes:
|
These are still OK
These incorrectly conflate data direction with connection direction and should not be created or should be dropped if already created:
-If direction is outgoing there must be at least one remote ipv4 address, ipv6 address or URI to an API.
These incorrect items do not need to be replaced. This task can be closed when the first three |
We need to pause this and discuss it. There are two items that put any further work on this at risk:
|
Per conversations over the past two days there are actually three things happening with this issue. Item 1: Potential changes to the FedRAMP requirements for Table 7-1 are "in the works" related to the pending boundary guidance; however, there is no clear ETA nor definition for this yet. Decision on Item 1: We have agreed to continue working on OSCAL modeling, documentation, and constraints based on existing guidance. We will circle back to any changes once they are more clearly defined with a clearer ETA. We intend to insert OSCAL-rework into that boundary guidance release process. Item 2: @DimitriZhurkin had started work on this and implemented the first constraint of four. I then realized that I had incorrectly used the "direction" property in the metapath. If we continue forward with this approach (vs Item #3 below) we need to rework the first constraint to use this revised metapath: context="//component[
(@type=('service', 'software') and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external'])
or
(@type='interconnection')
or
(@type=('service', 'software') and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal'])
]" Item 3: The current "direction" property in concert with the FedRAMP "information-type" prop/extension does not give a complete picture. It becomes ambiguous when the direction is both incoming and outgoing with more than one information type specified. We need clarity around which information is crossing the boundary on its way into the system vs crossing the boundary on its way out. As a result I proposed the use of Regardless, the other constraints can still be worked, but with the revised target pasted in #2 above. |
commit f010473 Author: wandmagic <156969148+wandmagic@users.noreply.github.com> Date: Tue Dec 10 15:08:00 2024 -0500 re-introduce implemented-requirements constraints (GSA#981) * re-introduce implemented-requirements constraints * add doc available check for health url * fix spacing * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov> * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov> --------- Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov> commit c0ad00e Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Mon Dec 9 17:17:47 2024 -0500 Adjust link for all profiles (GSA#979) commit 8561600 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Mon Dec 9 11:27:48 2024 -0500 Add Components To `information-type-800-60-v2r1` Allowed Values (GSA#973) * Add Leveraged Authorizations and External, Interconnected, and Unauthorized Systems components to information-type allowed values * Adjust constraint target commit 788b67e Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Mon Dec 9 09:32:35 2024 -0500 Fix constraint targets (GSA#974) commit 9d7946c Author: A.J. Stein <alexander.stein@gsa.gov> Date: Fri Dec 6 17:10:04 2024 -0500 [chore] Update container image to cli v2.4.0 (GSA#971) commit b2c9712 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Fri Dec 6 15:26:04 2024 -0500 Add `used-by-link-references-component` constraint (GSA#972) * Add 'used-by-link-references-component' constraint * Fix message Co-authored-by: Kylie Hunter <kylie.hunter@gsa.gov> * fix message Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org> --------- Co-authored-by: Kylie Hunter <kylie.hunter@gsa.gov> Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org> commit 3dac668 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Fri Dec 6 13:43:16 2024 -0500 Add `component-has-used-by-link` constraint (GSA#970) * Add constraint 'protocol-has-used-by-link' * Fix message * Change constraint id * Fix message (last time) * Update src/validations/constraints/content/ssp-component-has-used-by-link-INVALID.xml Co-authored-by: A.J. Stein <aj@gsa.gov> --------- Co-authored-by: A.J. Stein <aj@gsa.gov> commit c3db2b2 Author: DimitriZhurkin <dimitri.zhurkin@noblis.org> Date: Thu Dec 5 13:07:39 2024 -0700 Add inter-boundary-component-has-direction constraint (GSA#930) (GSA#968) commit 5d6710f Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Thu Dec 5 13:32:28 2024 -0500 Fix dev-constraint.js bug (GSA#967) commit a7f9022 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Thu Dec 5 13:23:21 2024 -0500 Add exists() to tests and remove duplicate constraint and fix system-implementation context (GSA#966) Remove duplicate constraint and fix system-implementation context commit 780b38a Author: wandmagic <156969148+wandmagic@users.noreply.github.com> Date: Thu Dec 5 12:50:29 2024 -0500 Hotfix/deprecate all valid (GSA#960) * deprecate ssp-all-valid * Update src/validations/constraints/content/ssp-has-network-architecture-diagram-link-href-target-VALID-1.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * Update src/validations/constraints/content/ssp-has-authorization-boundary-diagram-link-href-target-VALID-1.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * Update src/validations/constraints/content/ssp-has-data-flow-diagram-link-href-target-VALID-1.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * Update src/validations/constraints/content/ssp-has-network-architecture-diagram-link-href-target-VALID-1.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * Update fedramp-ssp-example.oscal.xml --------- Co-authored-by: A.J. Stein <aj@gsa.gov> commit 2c0e4de Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Thu Dec 5 10:21:00 2024 -0500 Change cia-has-selected test (GSA#965) commit 9a8e155 Author: wandmagic <156969148+wandmagic@users.noreply.github.com> Date: Wed Dec 4 15:30:29 2024 -0500 Update fedramp-ssp-example.oscal.xml (GSA#959) commit 5f7ce81 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Tue Dec 3 23:38:31 2024 +0000 change example ssp location commit 56f399e Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Tue Dec 3 23:23:59 2024 +0000 Edit content to make constraints pass commit d521a22 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Tue Dec 3 19:12:01 2024 +0000 Delete extra ssp commit 8cfb601 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Tue Dec 3 17:39:38 2024 +0000 Add example ssp to content file and edit constraint script to point yaml pass file to example ssp commit ff8f812 Author: ~ . ~ <paul.n.wand@gsa.gov> Date: Tue Dec 3 13:50:22 2024 -0500 fix ssp to pass tests commit 85ec424 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Tue Dec 3 17:17:18 2024 +0000 Add example ssp to content file and edit constraint script to point yaml pass file to example ssp commit 7312686 Author: Kylie Hunter <kylie.hunter@gsa.gov> Date: Mon Nov 25 16:15:01 2024 -0700 Add connection-security prop constraint for GSA#931 commit 6ccb539 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Tue Dec 3 16:39:47 2024 -0500 Add `issue-893` Constraints (GSA#949) * Add component-has-non-provider-responsible-role and tests * Add constraints and tests * Edit message commit dd3be5f Author: wandmagic <156969148+wandmagic@users.noreply.github.com> Date: Tue Dec 3 16:39:32 2024 -0500 remove rev4 constraints (GSA#954) commit 113c4f5 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Tue Dec 3 15:42:43 2024 -0500 Fix Bug Issue GSA#940 (GSA#951) commit c6f8e8f Author: wandmagic <156969148+wandmagic@users.noreply.github.com> Date: Tue Dec 3 13:08:35 2024 -0500 implementation point constraint (GSA#936) * implementation point constraint * add help uri * improve constraint * add extra fail content * Update src/validations/constraints/content/ssp-all-VALID.xml Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org> * Update fedramp-external-constraints.xml Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov> * implementation point constraint * add help uri * improve constraint * add extra fail content * Update src/validations/constraints/content/ssp-all-VALID.xml Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org> * Update fedramp-external-constraints.xml Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov> * add needed props to all valid * rebase Co-Authored-By: A.J. Stein <aj@gsa.gov> * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: A.J. Stein <aj@gsa.gov> --------- Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org> Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov> Co-authored-by: A.J. Stein <aj@gsa.gov> commit 1377478 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Tue Dec 3 08:57:37 2024 -0500 Add `component-responsible-role-references-party` constraint (GSA#945) * Add constraint 'component-responsible-role-references-party' and tests * correct test * Rename constraint and adjust help-url * Edit message Co-authored-by: A.J. Stein <aj@gsa.gov> --------- Co-authored-by: A.J. Stein <aj@gsa.gov> commit a8461fb Author: ~ . ~ <paul.n.wand@gsa.gov> Date: Mon Dec 2 11:09:13 2024 -0500 pin server + update oscal-js version commit b82c417 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Mon Dec 2 14:07:05 2024 -0500 Add `leveraged-authorization-has-valid-impact-level` Constraint (GSA#913) * Add leveraged-authorization constraint * rename constraint * fix constraint test * correct constraint test * Change 'http' to 'https' * Add level commit 1db5f97 Author: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Mon Dec 2 13:13:17 2024 -0500 Constraints/cleanup constraints file (GSA#946) * clean up fedramp-external-constraints.xml * fix * Add message to fully-operational-date-type
Per discussion today, I support moving forward with item 2 and Item 3. Item 2 adds the
@brian-ruf and @Rene2mt agreed that's a good way forward. So the next steps:
@brian-ruf or @Rene2mt, do I need to update the issues for 1? Did I understand correctly that it is just #930? |
@DimitriZhurkin consistent with @aj-stein-gsa decision above, please drop/remove any constraints related to the "direction" prop. The other constraints remain viable based on the redefined metapath in my above comment that replaced the "direction" prop with the "communicates-externally" prop/extension. |
@brian-ruf, as regards "other constraints remain viable," they all include Please redefine constraints that need to be worked on. In the meantime, I'll remove the |
@DimitriZhurkin as promised hours ago, here is the final update, with the whole issue re-summarized. Drop these:
Create/Revise These As Follows
NOTE that the |
Constraint Task
There must be at least one direction property, with no more than one incoming and no more than one outgoing direction.
Intended Outcome
Check that different kinds of network components for different leveraged authorizations and interconnection scenarios (see #808 (comment)) declare minimally required network traffic directions.
Syntax Type
This is required core OSCAL syntax.
Allowed Values
There are no relevant allowed values.
Metapath(s) to Content
Purpose of the OSCAL Content
To identify network traffic patterns for reviewers to know if it is properly risk-managed and conforms with FedRAMP requirements and best practices.
Dependencies
No response
Acceptance Criteria
oscal-cli metaschema metapath eval -e "expression"
.Other information
This is part of #807 and #808.
The text was updated successfully, but these errors were encountered: