SSP Completeness Checks: Appendices C, D, F, G, H, I, N, P

[brian-ruf]

This is a ...

fix - something needs to be different

This relates to ...

• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

User Story

As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:

• Every -1 control should have at least one link to a policy
• Every -1 control should have at least one link to a procedure
• Need to identify which other controls (in the FedRAMP baselines) specific procedure, guides, RoB, and plans.
• Then check for attachments to each of those controls
• Linking to an item, includes verifying that the resource has either a base64 or rlink.
• If an rlink, the href should be reachable

Goals

SSP Completeness checks are defined, tested and documented

Dependencies

No response

Acceptance Criteria

• All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• all constraints associated with the review task have been converted/created
• automate.fedramp.gov content has been updated accordingly
• the metaschema help prop has an appropriate link to the constraint
• the template has an content that models the desired OSCAL presentation
• the constraint runs against the example template
• known-bad content has been created
• the constraint appropriately flags the known-bad content as invalid

Other information

No response

Tasks

• Determine the file attachment pattern
• identify the controls that require each of these attachments
• Check that an access control policy and procedure are linked to SSP #798
• Check that at least one User's Guide is attached
• Check that the Rules of Behavior is attached
• Check that the ICSP is attached
• Check that the IRP is attached
• Check that the CM Plan is attached
• Check that the SCRMP is attached
• Revise the constraint id='has-separation-of-duties-matrix' to check for OSCAL construct instead of attachment.
• Align formerly created constrains on this topic to align with this definition for consistency of messages and handling.

[brian-ruf]

Analysis

• Appendix C Information Security Policies and Procedures
  • Policy: AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PS-1, RA-1, SA-1, SC-1, SI-1, SR-1
  • Procedure: AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PS-1, RA-1, SA-1, SC-1, SI-1, SR-1
• Appendix D User Guide
• Appendix F Rules of Behavior (RoB): Required by PL-4
• Appendix G Information System Contingency Plan (ISCP):
  • Plan required by CP-2
  • Test Report required by CP-4
• Appendix H Configuration Management Plan (CMP): Required by CM-9
• Appendix I Incident Response Plan (IRP): Required by IR-8
• Appendix N Continuous Monitoring Plan: Required by CA-7
• Appendix P Supply Chain Risk Management Plan (SCRMP): Required by SR-2

Additional Considerations

• Separation of Duties Matrix may be attached to AC-5 (INFO on presence/absence)
• IR-3 should have an Incident Response Test Report attached (WARN if not)
• Additional controls that SHOULD have one or more procedures or plans attached (WARN if not): AC-2, CM-2, 3, 4, 5, 6, CP-10, IR-5, IR-6 (Incident Communications Procedure), IR-9 (info spill procedure or plan), MA-2, MP-6, PE-2, PE-8, PL-2, PS-3, 4, 5, SA-4, SI-2, SR-3, SR-10, SR-12
• Appendix O POA&M: CA-5 [Out of scope for this issue Included here for completeness of the analysis.]

[brian-ruf]

Important Consideration

There are several possible ways policies, plans and procedures may be attached to security controls:

1. the control includes a link that points directly to the document
2. the control includes a link with a URI fragment that points to a back-matter resource representing the document
3. the control includes a by-component assembly that points to a component representing the document; the component could:
   a. have a link directly to the document
   b. have a link with a URI fragment that points to a back-matter resource

Edited Dec 3, 2024 to cross out 1, 2 and 3a, and emphasize 3b.

[aj-stein-gsa]

Important Consideration

There are several possible ways policies, plans and procedures may be attached to security controls:

Thanks for the brief today, let's soon discuss how we should act with recommendations on 2 and 3b as the preferred recommendations and how to design constraints around them ASAP.

[brian-ruf]

@aj-stein-gsa I've reached this issue in our priorities. We've both been very focused on other work and haven't resolved the above question of how best to model attachments.

As with other areas this is something where we should have a preferred approach as well as accepting a simpler approach in support of legacy Word -> OSCAL SSP conversions.

Further, we have allowed other attachments and links to be either a URI fragment or a direct external link.

As a result, I believe we should establish 3b as our preferred approach, but accept any of the above (1, 2, 3a and 3b). I think our team has become well skilled at writing xapth that supports these scenarios.

I will defer any further analysis on this until you return. Hope to have a clear direction by COB Monday, Dec 2nd

@Rene2mt FYSA

[brian-ruf]

I am going to model 3b Tuesday in the example SSP and being defining constraints that will give an error if none of the above methods are used, plus offer a warning if any method other than 3b is used.

[brian-ruf]

In today's conversation with @aj-stein-gsa , @Rene2mt and @brian-ruf we agree that we only accept 3B:
Every attachment must be represented as a component and be attached as a back-matter resource.

[brian-ruf]

Additional note related to today's earlier conversation. In the future, we intend to investigate annotating the OSCAL baselines to indicate exactly where attachments are expected relative to control statements as well as the nature of the attachment. We are deferring this approach for now due to the deadline for finishing SSP constraints.

[brian-ruf]

Detail

Analysis of exactly which control statements should have attachments and what attachment types are acceptable.

Process vs Procedure

Generally accepted process improvement principles consider processes to involve more than one party, often crossing organizational boundaries while procedures tend to be something that a single party can complete start to finish for a given task. There is rough alignment with this in NIST SP 800-53.

In terms of OSCAL content modeling, please consider "process" and "procedure" to be equivalent terms. Only a single OSCAL component type exists for both processes and procedures (the "process-procedure" component type) and only a "procedure" attachment type exists that is expected to be used for both processes and procedures.

Always Required (ERROR)

Control	Location	High	Moderate	Low	LI-SaaS	Policy	Procedure	Plan	Guide	RoB	Report	Notes
AC-1	statement a	X	X	X	No	and	and
AT-1	statement a	X	X	X	No	and	and
AU-1	statement a	X	X	X	No	and	and
CA-1	statement a	X	X	X	No	and	and
CM-1	statement a	X	X	X	No	and	and
CP-1	statement a	X	X	X	No	and	and
IA-1	statement a	X	X	X	No	and	and
IR-1	statement a	X	X	X	No	and	and
MA-1	statement a	X	X	X	No	and	and
MP-1	statement a	X	X	X	No	and	and
PE-1	statement a	X	X	X	No	and	and
PL-1	statement a	X	X	X	No	and	and
PS-1	statement a	X	X	X	No	and	and
RA-1	statement a	X	X	X	No	and	and
SA-1	statement a	X	X	X	No	and	and
SC-1	statement a	X	X	X	No	and	and
SI-1	statement a	X	X	X	No	and	and
SR-1	statement a	X	X	X	No	and	and
N/A	RESOURCE ONLY	X	X	X	No				X			User's Guide
CA-7	a - g, FR req's x 2	X	X	X	X			X				ConMon Plan
CM-9	a - e	X	X	No	No			X				Config Mgt Plan
CP-2	a	X	X	X	No			X				ISCP
CP-4	a	X	X	X	No			or			or	ISCP Test Results (may be in the plan)
IA-5	d	X	X	X	No		X					Procedure for authenticator management
IR-8	a	X	X	X	No			X				Incident Resp Plan
PL-4	a	X	X	X	No					X		Rules of Behavior
SR-2	a	X	X	X	No			X				Supply Chain RM Plan
SR-3	a	X	X	X	No		X					Moved to mandatory as the control explicitly says, "establish a process ..."

Separation of Duties

The SoD Matrix is required by AC-5 parts a and b; however, we are now expecting this in OSCAL format rather than as an attachment. Plus AC-5 does not exist in the Low or LI-SaaS baselines.

Questionable as a Mandate

The following are very likely to require an attachment as part of properly satisfying the control, and are nearly always accomplished via a Plan, Procedure or similar. These should at least raise a WARNING if no attachment is found. Collaboration with the review team may result in some items in this list either being dropped or moved from WARNING to ERROR.

Control	Location	High	Moderate	Low	LI-SaaS	Policy	Procedure	Plan	Guide	RoB	Report	Notes
AC-2	a - l	X	X	X	X	or	or	or				Covered in Policy, Procedure and/or Plan (may be some of each)
AC-4(4)	stmt l	X	No	No	No		X					Encryption bypass if 3rd parameter is defined
AC-11	b l	X	X	No	No		X					Device lock
CM-2	a, b	X	X	X	No		or	or				document and manage system baseline
CM-3	a - g	X	X	No	No		or	or				Change management process
CM-4	stmt	X	X	X	X		or	or				Security analysis of system changes
CM-5	stmt	X	X	X	X		or	or				Process(es) to document and enforce system access restrictions
CM-6	d	X	X	X	X	or	or					Monitor for changes IAW org policies and procedures
CP-10	stmt	X	X	X	No		or	or				Recover and Reconstitution following an event
IR-3	stmt	X	X	No	No						X	IR Test Report
IR-4	c	X	X	X	X		X					Process includes incorporating lessons learned
IR-5	stmt	X	X	X	No		or	or				Procedure to track and document incidents
IR-6	a	X	X	X	X		X					Incident Comm Procedure
IR-9	a - g	X	X	No	No		or	or				Data Spill Plan or Procedure
IR-9 (3)	stmt	X	X	No	No		or	or				Data Spill Plan or Procedure ensures continued work
MA-2	c	X	X	X	Conditional	or	or	or				Equipment removal approval process
MA-5(1)	a	X	X	No	No		X					Proc for maint staff without appropriate clearance
MP-4	b	X	X	No	No		X					Media destruction procedure
MP-6	a, b	X	X	X	Conditional		or	or				Media Sanitization Procedure
MP-6 (2)	stmt	X	No	No	No					X		Test Media Sanitization Capability
PE-2	a	X	X	X	Conditional		or	or				Procedure to maintain facility access list
PE-8	a, b, c	X	X	X	Conditional		or	or				Procedure for visitor access records maintenance
PL-2	a	X	X	X	X		or	or				Security and Privacy Plan
PS-3	a, b	X	X	X	X	or	or	or				Screen and re-screen individuals
PS-5	a - d	X	X	X	No		or	or				Process for periodic access review
SA-4	a - i	X	X	X	No		X					Contract language that addresses security
SI-2	a	X	X	X	X		or	or				Process or Plan to Identify/Track System Flaws
SR-8	stmt	X	X	X	No		X					supplier agreements and procedures
SR-10	stmt	X	X	X	No		or	or				Inspection for tampering
SR-12	stmt	X	X	X	No		or	or				Disposal of data/documentation/tools/components

[brian-ruf]

Constraint Pattern

PRELIMINARY CONSTRAINTS

The following constraints should be executed first:

1. The constraint defined in SSP Completeness Checks: Security Controls #810 that verifies all controls and control statements that should be in the SSP actually are. (per SSP Completeness Checks: Security Controls #810 (comment))

2. All "policy", "process-procedure", "plan", "guide" and "rob" components are linked to a viable back-matter resource

• metapath target="/system-security-plan/system-implementation/component[@type=('policy', 'process-procedure', 'plan', 'rob', 'guide')]"

2a. Does the component have a link statement that identifies a valid back-matter resource?
- target = "."
- test="count(/system-security-plan/back-matter/resource[@uuid=./link[@rel='attachment']/substring-after(@href, "#")]) = 1"

2b. Does the back-matter resource have a viable attachment?
- targe="/system-security-plan/back-matter/resource[@uuid=./link[@rel='attachment']/substring-after(@href, "#")]"
- test="count(./base64 or doc-available(resolve-uri(./rlink/@href))) >=1"

[brian-ruf]

CONSTRAINT PATTERN FOR EACH ATTACHMENT

Example Pattern

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE metaschema-meta-constraints [
      <!ENTITY check-for-attachments SYSTEM "./check-for-attachments.ent">
]>

<!-- cut content -->

<!--  Repeat this structure for each row in the table below. -->
<context>
   <let var="root-help-url" expression="https://automate.fedramp.gov/documentation" />
   <let var="reference" expression="has-ac-policy" />
   <let var="control-id" expression="ac-1" />
   <let var="statement-id" expression="concat($control-id, '_smt.a')" />
   <let var="component-type" expression="policy" />
   <let var="level" expression="ERROR" />
   <let var="message" expression="A policy that addresses Access Control must be associated with AC-1 part a." />
   <let var="help-url" expression=concat($root-help-url, "/ssp/something") />

&check-for-attachments;
</context>

File: check-for-attachments.ent

   <metapath target="/system-security-plan/control-implementation/implemented-requirement[@control-id=$control_id]/statement[@statement-id=$statement-id]" />

   <constraints>

      <expect id="$reference" target="." test="count(/system-security-plan/system-implementation/component[@uuid=./@component-uuid] and @type=$component-type) >= 1">
         <formal-name>Required Attachment is Present</formal-name>
         <prop name="help-url"  namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" value=$help-url />
         <message>$message</message>
      </expect>

   </constraints>

DATA TO PLUG INTO PATTERN

NOTE: In the table, the $help-url should only include the portion of the URL following the documentation root (https://automate.fedramp.gov/documentation).

$reference	$control-id	$statement-id	$component-type	$level	$message	$help-url (sans root)
has-ac-policy	ac-1	_smt.a	'policy'	ERROR	A policy that addresses Access Control must be associated with AC-1 part a.	need
has-ac-procedure	ac-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Access Control must be associated with AC-1 part a.	need
has-at-policy	at-1	_smt.a	'policy'	ERROR	A policy that addresses Awareness and Training must be associated with AT-1 part a.	need
has-at-procedure	at-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Awareness and Training must be associated with AT-1 part a.	need
has-au-policy	au-1	_smt.a	'policy'	ERROR	A policy that addresses Audit and Accountability must be associated with AU-1 part a.	need
has-au-procedure	au-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Audit and Accountability must be associated with AU-1 part a.	need
has-ca-policy	ca-1	_smt.a	'policy'	ERROR	A policy that addresses Assessment, Authorization, and Monitoring must be associated with CA-1 part a.	need
has-ca-procedure	ca-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Assessment, Authorization, and Monitoring must be associated with CA-1 part a.	need
has-cm-policy	cm-1	_smt.a	'policy'	ERROR	A policy that addresses Configuration Management must be associated with CM part a.	need
has-cm-procedure	cm-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Configuration Management must be associated with CM1 part a.	need
has-cp-policy	cp-1	_smt.a	'policy'	ERROR	A policy that addresses Contingency Planning must be associated with CP-1 part a.	need
has-cp-procedure	cp-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Contingency Planning must be associated with CP-1 part a.	need
has-ia-policy	ia-1	_smt.a	'policy'	ERROR	A policy that addresses Identification and Authentication must be associated with ACIA1 part a.	need
has-ia-procedure	ia-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Incident Response must be associated with IA-1 part a.	need
has-ir-policy	ir-1	_smt.a	'policy'	ERROR	A policy that addresses Incident Response must be associated with IR-1 part a.	need
has-ir-procedure	ir-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Incident Response must be associated with IR-1 part a.	need
has-ma-policy	ma-1	_smt.a	'policy'	ERROR	A policy that addresses Maintenance must be associated with MA-1 part a.	need
has-ma-procedure	ma-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Maintenance must be associated with MA-1 part a.	need
has-mp-policy	mp-1	_smt.a	'policy'	ERROR	A policy that addresses Media Protection must be associated with MP-1 part a.	need
has-mp-procedure	mp-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Media Protection must be associated with MP-1 part a.	need
has-pe-policy	pe-1	_smt.a	'policy'	ERROR	A policy that addresses Physical and Environmental Protection must be associated with PE-1 part a.	need
has-pe-procedure	pe-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Physical and Environmental Protection must be associated with PE-1 part a.	need
has-pl-policy	pl-1	_smt.a	'policy'	ERROR	A policy that addresses Planning must be associated with PL-1 part a.	need
has-pl-procedure	pl-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Planning must be associated with PL-1 part a.	need
has-ps-policy	ps-1	_smt.a	'policy'	ERROR	A policy that addresses Personnel Security must be associated with PS-1 part a.	need
has-ps-procedure	ps-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Personnel Security must be associated with PS-1 part a.	need
has-ra-policy	ra-1	_smt.a	'policy'	ERROR	A policy that addresses Risk Assessment must be associated with RA-1 part a.	need
has-ra-procedure	ra-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Risk Assessment must be associated with RA-1 part a.	need
has-sa-policy	sa-1	_smt.a	'policy'	ERROR	A policy that addresses System and Services Acquisition must be associated with SA-1 part a.	need
has-sa-procedure	sa-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses System and Services Acquisition must be associated with SA-1 part a.	need
has-sc-policy	sc-1	_smt.a	'policy'	ERROR	A policy that addresses System and Communications Protection must be associated with SC-1 part a.	need
has-sc-procedure	sc-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses System and Communications Protection must be associated with SC-1 part a.	need
has-si-policy	si-1	_smt.a	'policy'	ERROR	A policy that addresses System and Information Integrity must be associated with SI-1 part a.	need
has-si-procedure	si-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses System and Information Integrity must be associated with SI-1 part a.	need
has-sr-policy	sr-1	_smt.a	'policy'	ERROR	A policy that addresses Supply Chain Risk Management must be associated with SR-1 part a.	need
has-sr-procedure	sr-1	_smt.a	'process-procedure'	ERROR	At least one procedure that addresses Supply Chain Risk Management must be associated with SR-1 part a.	need
has-conmon-plan_a	ca-7	_smt.a	'plan'	ERROR	The Continuous Monitoring (ConMon) Plan must be associated with CA-7 part a.	need
has-conmon-plan_b	ca-7	_smt.b	'plan'	ERROR	The Continuous Monitoring (ConMon) Plan must be associated with CA-7 part b.	need
has-conmon-plan_c	ca-7	_smt.c	'plan'	ERROR	The Continuous Monitoring (ConMon) Plan must be associated with CA-7 part c.	need
has-conmon-plan_d	ca-7	_smt.d	'plan'	ERROR	The Continuous Monitoring (ConMon) Plan must be associated with CA-7 part d.	need
has-conmon-plan_e	ca-7	_smt.e	'plan'	ERROR	The Continuous Monitoring (ConMon) Plan must be associated with CA-7 part e.	need
has-conmon-plan_f	ca-7	_smt.f	'plan'	ERROR	The Continuous Monitoring (ConMon) Plan must be associated with CA-7 part f.	need
has-conmon-plan_g	ca-7	_smt.g	'plan'	ERROR	The Continuous Monitoring (ConMon) Plan must be associated with CA-7 part g.	need
has-cm-plan_a	cm-9	_smt.a	'plan'	ERROR	The Configuration Management (CM) Plan must be associated with CM-9 part a.	need
has-cm-plan_b	cm-9	_smt.b	'plan'	ERROR	The Configuration Management (CM) Plan must be associated with CM-9 part b.	need
has-cm-plan_c	cm-9	_smt.c	'plan'	ERROR	The Configuration Management (CM) Plan must be associated with CM-9 part c.	need
has-cm-plan_d	cm-9	_smt.d	'plan'	ERROR	The Configuration Management (CM) Plan must be associated with CM-9 part d.	need
has-cm-plan_e	cm-9	_smt.e	'plan'	ERROR	The Configuration Management (CM) Plan must be associated with CM-9 part e.	need
has-iscp	cp-2	_smt.a	'plan'	ERROR	The Information System Contingency Plan (ISCP) must be associated with CP-2 part a.	need
has-iscp-test	cp-4	_smt.a	('plan', 'report')	ERROR	The Information System Contingency Plan (ISCP) Test Report must be associated with CP-4 part a. If the test report is in the plan, associate the plan and state the section.	need
has-ir-plan	ir-8	_smt.a	'plan'	ERROR	The Incident Response Plan (IRP) must be associated with IR-8 part a.	need
has-rob	pl-4	_smt.a	'rob'	ERROR	The Rules of Behavior must be associated with PL-4 part a.	need
has-srm-plan	sr-2	_smt.a	'plan'	ERROR	The Supply Chain Risk Management Plan must be associated with SR-2 part a.	need

QUESTION

Can we define the variables as many times as needed, but put the actual constraint definition in an external file and import it each place it is needed, similar to the way allowed values are handled in the OSCAL metaschema?

[brian-ruf]

@aj-stein-gsa and @Rene2mt I think this is ready to create some tasks.
To elaborate on what I mentioned verbally earlier today, we should:
Step 1. Create the preliminary constraints described two comments above this one
Step 2. Crate only one constraint that follows the attachment pattern and ensure it is doing what we want
Step 3. Determine the most efficient mechanism for replicating that pattern for every row in the above table.
Step 4. Deploy the rest of the attachments constraints based on step 3.

[brian-ruf]

@wandmagic / @dimitri-zhurkin-vitg I suspect you'll have some good thoughts on how best to replicate this pattern once we feel it is solid.