Added system-characteristics has-security constraints and tests

features/fedramp_extensions.feature

@@ -47,6 +47,16 @@ Examples:
   | has-information-system-contingency-plan-PASS.yaml |
   | has-rules-of-behavior-FAIL.yaml |
   | has-rules-of-behavior-PASS.yaml |
+  | has-security-impact-level-FAIL.yaml |
+  | has-security-impact-level-PASS.yaml |
+  | has-security-objective-availability-FAIL.yaml |
+  | has-security-objective-availability-PASS.yaml |
+  | has-security-objective-confidentiality-FAIL.yaml |
+  | has-security-objective-confidentiality-PASS.yaml |
+  | has-security-objective-integrity-FAIL.yaml |
+  | has-security-objective-integrity-PASS.yaml |
+  | has-security-sensitivity-level-FAIL.yaml |
+  | has-security-sensitivity-level-PASS.yaml |
   | has-separation-of-duties-matrix-FAIL.yaml |
   | has-separation-of-duties-matrix-PASS.yaml |
   | has-user-guide-FAIL.yaml |
@@ -100,6 +110,11 @@ Examples:
   | has-incident-response-plan |
   | has-information-system-contingency-plan |
   | has-rules-of-behavior |
+  | has-security-impact-level |
+  | has-security-objective-availability |
+  | has-security-objective-confidentiality |
+  | has-security-objective-integrity |
+  | has-security-sensitivity-level |
   | has-separation-of-duties-matrix |
   | has-user-guide |
   | information-type-system |

src/validations/constraints/content/ssp-all-INVALID.xml

@@ -64,7 +64,7 @@
     <prop name='cloud-service-model' value='unsupported-model' ns="https://fedramp.gov/ns/oscal"/>
     <prop name='cloud-deployment-model' value='unsupported-value' ns="https://fedramp.gov/ns/oscal"/>
     <prop name='authorization-type' value='unsupported-value' ns="https://fedramp.gov/ns/oscal"/>
-    <security-sensitivity-level>moderate</security-sensitivity-level>
+    <!-- security-sensitivity-level was removed to ensure that test fails correctly. -->
     <system-information>
       <information-type uuid="33333333-0000-4000-9000-000000000003">
         <title>Financial Information</title>
@@ -85,13 +85,10 @@
         </availability-impact>
       </information-type>
     </system-information>
-
-    <security-impact-level>
-      <security-objective-confidentiality>moderate</security-objective-confidentiality>
-      <security-objective-integrity>moderate</security-objective-integrity>
-      <security-objective-availability>moderate</security-objective-availability>
-    </security-impact-level>
-
+    <!-- security-impact-level was removed to ensure that test fails correctly. -->
+    <!-- security-objective-confidentiality was removed to ensure that test fails correctly. -->
+    <!-- security-objective-integrity was removed to ensure that test fails correctly. -->
+    <!-- security-objective-availability was removed to ensure that test fails correctly. -->
     <status state="operational"/>
 
     <authorization-boundary>

src/validations/constraints/fedramp-external-constraints.xml

@@ -58,6 +58,21 @@
         <expect id="has-separation-of-duties-matrix" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'separation-of-duties-matrix']]" level="ERROR">
             <message>A FedRAMP SSP must have a Separation of Duties Matrix attached.</message>
         </expect>
+        <expect id="has-security-sensitivity-level" target="//system-characteristics" test="security-sensitivity-level" level="ERROR">
+            <message>An OSCAL SSP document must specify a FIPS 199 categorization.</message>
+        </expect>
+        <expect id="has-security-impact-level" target="//system-characteristics" test="security-impact-level" level="ERROR">
+            <message>An OSCAL SSP document must specify a security impact level.</message>
+        </expect>
+        <expect id="has-security-objective-confidentiality" target="//system-characteristics"  test="security-impact-level/security-objective-confidentiality" level="ERROR">
+            <message>An OSCAL SSP must specify a confidentiality security objective.</message>
+        </expect>
+        <expect id="has-security-objective-integrity" target="//system-characteristics"  test="security-impact-level/security-objective-integrity" level="ERROR">
+            <message>An OSCAL SSP must specify an integrity security objective.</message>
+        </expect>
+        <expect id="has-security-objective-availability" target="//system-characteristics"  test="security-impact-level/security-objective-availability" level="ERROR">
+            <message>An OSCAL SSP must specify an availability security objective.</message>
+        </expect>
     </constraints>
 </context>
 <context>
@@ -75,4 +90,4 @@
         </expect>
     </constraints>
 </context>
-</metaschema-meta-constraints>
+</metaschema-meta-constraints>

src/validations/constraints/unit-tests/has-security-impact-level-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-impact-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-impact-level
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-impact-level
+      result: fail

src/validations/constraints/unit-tests/has-security-impact-level-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-impact-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-impact-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-impact-level
+      result: pass

src/validations/constraints/unit-tests/has-security-objective-availability-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-objective-availability
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-availability
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-objective-availability
+      result: fail

src/validations/constraints/unit-tests/has-security-objective-availability-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-objective-availability
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-availability
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-objective-availability
+      result: pass

src/validations/constraints/unit-tests/has-security-objective-confidentiality-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-objective-confidentiality
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-confidentiality
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-objective-confidentiality
+      result: fail

src/validations/constraints/unit-tests/has-security-objective-confidentiality-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-objective-confidentiality
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-confidentiality
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-objective-confidentiality
+      result: pass

src/validations/constraints/unit-tests/has-security-objective-integrity-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-objective-integrity
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-integrity
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-objective-integrity
+      result: fail

src/validations/constraints/unit-tests/has-security-objective-integrity-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-objective-integrity
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-integrity
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-objective-integrity
+      result: pass

src/validations/constraints/unit-tests/has-security-sensitivity-level-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-sensitivity-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-sensitivity-level
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-sensitivity-level
+      result: fail

src/validations/constraints/unit-tests/has-security-sensitivity-level-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-sensitivity-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-sensitivity-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-sensitivity-level
+      result: pass