GSA · Gabeblis · Sep 11, 2024 · Sep 20, 2024 · Sep 24, 2024 · Sep 25, 2024
@@ -101,6 +101,10 @@ Examples:
   | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
   | has-rules-of-behavior-FAIL.yaml |
   | has-rules-of-behavior-PASS.yaml |
+  | has-security-impact-level-FAIL.yaml |
+  | has-security-impact-level-PASS.yaml |
+  | has-security-sensitivity-level-FAIL.yaml |
+  | has-security-sensitivity-level-PASS.yaml |
   | has-separation-of-duties-matrix-FAIL.yaml |
   | has-separation-of-duties-matrix-PASS.yaml |
   | has-user-guide-FAIL.yaml |
@@ -195,6 +199,8 @@ Examples:
   | has-network-architecture-diagram-link-rel |
   | has-network-architecture-diagram-link-rel-allowed-value |
   | has-rules-of-behavior |
+  | has-security-impact-level |
+  | has-security-sensitivity-level |
   | has-separation-of-duties-matrix |
   | has-user-guide |
   | information-type-system |

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-characteristics>
+  </system-characteristics>
+</system-security-plan>
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-characteristics>
+  </system-characteristics>
+</system-security-plan>
@@ -137,6 +137,12 @@
             <expect id="has-data-flow-diagram-link-rel-allowed-value" target="system-characteristics/data-flow/diagram/link" test="@rel eq 'diagram'" level="ERROR">
                 <message>Each FedRAMP SSP data flow diagram must have a link rel attribute with the value "diagram".</message>
             </expect>
+            <expect id="has-security-sensitivity-level" target="system-characteristics" test="security-sensitivity-level" level="ERROR">
+                <message>An OSCAL SSP document must specify a FIPS 199 categorization.</message>
+            </expect>
+            <expect id="has-security-impact-level" target="system-characteristics" test="security-impact-level" level="ERROR">
+                <message>An OSCAL SSP document must specify a security impact level.</message>
+            </expect>
         </constraints>
     </context>
     <context>
@@ -170,4 +176,4 @@
             </expect>
         </constraints>
     </context>
-</metaschema-meta-constraints>
+</metaschema-meta-constraints>
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-security-impact-level
+  description: Test that a SSP system-characteristics element does not have a security-impact-level element.
+  content: ../content/ssp-has-security-impact-level-INVALID.xml
+  expectations:
+    - constraint-id: has-security-impact-level
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-security-impact-level
+  description: Test that a SSP system-characteristics element has a security-impact-level element.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-impact-level
+      result: pass
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-security-sensitivity-level
+  description: Test that a SSP system-characteristics element does not have a security-sensitivity-level element.
+  content: ../content/ssp-has-security-sensitivity-level-INVALID.xml
+  expectations:
+    - constraint-id: has-security-sensitivity-level
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-security-sensitivity-level
+  description: Test that a SSP system-characteristics element has a security-sensitivity-level element.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-sensitivity-level
+      result: pass