re-introduce party has responsibility-constraints

features/fedramp_extensions.feature

@@ -95,8 +95,10 @@ Examples:
   | interconnection-security-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
-  | missing-response-components-test-FAIL.yaml |
-  | missing-response-components-test-PASS.yaml |
+  | party-has-one-responsibility-FAIL.yaml |
+  | party-has-one-responsibility-PASS.yaml |
+  | party-has-responsibility-FAIL.yaml |
+  | party-has-responsibility-PASS.yaml |
   | privilege-level-FAIL.yaml |
   | privilege-level-PASS.yaml |
   | resource-has-base64-or-rlink-FAIL.yaml |
@@ -169,7 +171,9 @@ Examples:
   | information-type-system |
   | interconnection-direction |
   | interconnection-security |
-  | missing-response-components-test |
+  | missing-response-components |
+  | party-has-one-responsibility |
+  | party-has-responsibility |
   | privilege-level |
   | prop-response-point-has-cardinality-one |
   | resource-has-base64-or-rlink |

src/validations/constraints/content/ssp-party-has-one-responsibility-INVALID.xml

@@ -0,0 +1,15 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <party uuid="22222222-0000-4000-9000-000000000002" type="person">
+      <name>Jane Doe</name>
+      <email-address>[email protected]</email-address>
+      <address type="work"/>
+    </party>
+    <responsible-party role-id="content-approver">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="content-initiator">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+  </metadata>
+</system-security-plan>

src/validations/constraints/content/ssp-party-has-responsibility-INVALID.xml

@@ -0,0 +1,17 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
+      <name>Example Organization</name>
+      <short-name>ExOrg</short-name>
+      <link rel="website" href="https://example.com"/>
+    </party>
+    <party uuid="22222222-0000-4000-9000-000000000002" type="person">
+      <name>Jane Doe</name>
+      <email-address>[email protected]</email-address>
+      <address type="work"/>
+    </party>
+    <remarks>
+      <p>This SSP is an example for demonstration purposes.</p>
+    </remarks>
+  </metadata>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -133,6 +133,12 @@
             <expect id="role-defined-information-system-security-officer" target="." test="role[@id eq 'information-system-security-officer']" level="ERROR">
                 <message>A FedRAMP SSP must define a role for the point of contact for an information system security officer.</message>
             </expect>
+            <expect id="party-has-responsibility" target="." test="every $person in //party[@type='person'] satisfies exists(.//responsible-party[party-uuid = $person/@uuid])" level="WARNING">
+                <message>One or more persons do not have any assigned responsibilities.</message>
+            </expect>
+            <expect id="party-has-one-responsibility" target="." test="every $person in //party[@type='person'] satisfies count(.//responsible-party[party-uuid = $person/@uuid]) eq 1" level="WARNING">
+                <message>One or more persons have multiple assigned responsibilities.</message>
+            </expect>
         </constraints>
     </context>
     <context>
@@ -142,5 +148,6 @@
                 <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message>
             </expect>
         </constraints>
+
     </context>
 </metaschema-meta-constraints>

src/validations/constraints/unit-tests/party-has-one-responsibility-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for party-has-one-responsibility
+  description: >-
+    This test case validates the behavior of constraint
+    party-has-one-responsibility
+  content: ../content/ssp-party-has-one-responsibility-INVALID.xml
+  expectations:
+    - constraint-id: party-has-one-responsibility
+      result: fail

src/validations/constraints/unit-tests/party-has-one-responsibility-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for party-has-one-responsibility
+  description: >-
+    This test case validates the behavior of constraint
+    party-has-one-responsibility
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: party-has-one-responsibility
+      result: pass

src/validations/constraints/unit-tests/party-has-responsibility-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for party-has-responsibility
+  description: This test case validates the behavior of constraint party-has-responsibility
+  content: ../content/ssp-party-has-responsibility-INVALID.xml
+  expectations:
+    - constraint-id: party-has-responsibility
+      result: fail

src/validations/constraints/unit-tests/party-has-responsibility-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for party-has-responsibility
+  description: This test case validates the behavior of constraint party-has-responsibility
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: party-has-responsibility
+      result: pass