Constraint Task

As a maintainer of a digital authorization package, in order to know I am using the appropriate version of a leveraged authorization in my package SSP and avoid a pass-back, I would like a check in my SSP to confirm the appropriate FIPS-199 impact level for the my leveraged system(s).

Intended Outcome

Goal

Check for FIPS-199 low, moderate, or high impact level for leveraged authorization(s) defined.

NOTE: There is a pre-existing let/@var that is used to select the "high-water mark value" of a similar selection in the security-senstivity-level of the system characteristics (e.g. not any allowed value, but the highest value). This expect solution is desirable because it can have a tailored custom error message, while allowed-values can not. You MAY chose to adjust the var/expression binding or create a new item, but @aj-stein-gsa recommends an expect constraint due to the customization of the message, you MUST still review that expression and constraint.

Syntax

• Define an expect/allowed-values constraint (this is a developer design decision; see the NOTE above and consult with the development team if unsure) with that permits only the following values for the Metapath below:
  • fips-199-low
  • fips-199-moderate
  • fips-199-high

Syntax Type

This is a FedRAMP constraint in the FedRAMP-specific namespace.

Allowed Values

FedRAMP allowed values must be defined or verified.

Metapath(s) to Content

//leveraged-authorization/prop[@name='impact-level'][@ns='http://fedramp.gov/ns/oscal']/@value 
/system-security-plan/system-characteristics/security-sensitivity-level

Purpose of the OSCAL Content

No response

Dependencies

No response

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
  • Explanation is present and accurate
  • sample content is present and accurate
  • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

This task is part of #807.