GSA · wandmagic · Dec 13, 2024 · Dec 10, 2024 · Dec 10, 2024 · Dec 11, 2024
@@ -92,7 +92,6 @@ Examples:
   | has-rules-of-behavior |
   | has-security-impact-level |
   | has-security-sensitivity-level |
-  | has-separation-of-duties-matrix |
   | has-system-id |
   | has-system-name-short |
   | has-user-guide |
@@ -104,6 +103,7 @@ Examples:
   | information-type-has-confidentiality-impact |
   | information-type-has-integrity-impact |
   | information-type-system |
+  | inter-boundary-component-direction-incoming-has-ipv-uri |
   | inter-boundary-component-has-direction |
   | interconnection-direction |
   | interconnection-security |
@@ -299,8 +299,6 @@ Examples:
   | has-security-impact-level-PASS.yaml |
   | has-security-sensitivity-level-FAIL.yaml |
   | has-security-sensitivity-level-PASS.yaml |
-  | has-separation-of-duties-matrix-FAIL.yaml |
-  | has-separation-of-duties-matrix-PASS.yaml |
   | has-system-id-FAIL.yaml |
   | has-system-id-PASS.yaml |
   | has-system-name-short-FAIL.yaml |
@@ -323,6 +321,8 @@ Examples:
   | information-type-id-PASS.yaml |
   | information-type-system-FAIL.yaml |
   | information-type-system-PASS.yaml |
+  | inter-boundary-component-direction-incoming-has-ipv-uri-FAIL.yaml |
+  | inter-boundary-component-direction-incoming-has-ipv-uri-PASS.yaml |
   | inter-boundary-component-has-direction-FAIL.yaml |
   | inter-boundary-component-has-direction-PASS.yaml |
   | interconnection-direction-FAIL.yaml |

@@ -1196,6 +1196,12 @@
          </prop>
 
          <prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001" />
+
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="local" value="10.1.1.3"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="local" value="::ffff:10.1.1.3"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="remote" value="10.2.2.3"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="remote" value="::ffff:10.2.2.3"/>
+
          <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"/>
 
          <status state="operational"/>
@@ -1781,6 +1787,14 @@
          <prop ns="https://fedramp.gov/ns/oscal" name="scan-type" value="database"/>
          <prop name="baseline-configuration-name" value="Baseline Config. Name"/>
          <prop name="allows-authenticated-scan" value="yes"/>
+
+
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="local" value="10.1.1.4"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="local" value="::ffff:10.1.1.4"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="remote" value="10.2.2.4"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="remote" value="::ffff:10.2.2.4"/>   
+
+
          <link href="#11111111-2222-4000-8000-009000500006" rel="used-by" />
          <status state="operational"/>
          <responsible-role role-id="admin">
@@ -2192,6 +2206,12 @@
                <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
             </remarks>
          </prop>
+
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="local" value="10.1.1.5"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="local" value="::ffff:10.1.1.5"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="remote" value="10.2.2.5"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="remote" value="::ffff:10.2.2.5"/>
+
          <link href="#11111111-2222-4000-8000-009000500005" rel="used-by" />
          <!-- is-scanned prop applies to inventory-item (not component) -->
          <!-- <prop name="is-scanned" value="yes"/> -->

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+
+    <component uuid="77777777-0000-4000-9000-000000000008" type="service">
+      <title>Communication Service System</title>
+      <description>
+        <p>A network communication service system.</p>
+      </description>
+      <prop name="inherited-uuid" value="11111111-0000-4000-9001-000000000001"/>
+      <prop name="implementation-point" value="external"/>
+      <prop name="direction" value="incoming" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="isa"/>
+      <status state="operational"/>
+    </component>
+
+  </system-implementation>
+
+</system-security-plan>
@@ -12,7 +12,7 @@
         <p>A network communication service system.</p>
       </description>
       <prop name="inherited-uuid" value="11111111-0000-4000-9001-000000000001"/>
-      <prop name="implementation-point" value="internal"/>
+      <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="https://fedramp.gov/ns/oscal"/>

@@ -534,7 +534,7 @@
     <context>
         <metapath target="/system-security-plan/system-implementation"/>
         <constraints>
-            <let var="inter-boundary-component" expression="component[(@type='service' and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and prop[@name='implementation-point' and @value='internal'] and prop[@name='direction']) or (@type='software' and prop[@name='asset-type' and @value='cli'] and prop[@name='direction'])]"/>
+            <let var="inter-boundary-component" expression="component[(@type=('service','software') and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type=('service', 'software') and prop[@name='implementation-point' and @value='internal'] and (prop[@name='communicates-externally' and @value='yes' and @ns='https://fedramp.gov/ns/oscal']))]"/>
             <expect id="authentication-method-has-remarks" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(./prop[@name='authentication-method' and @ns='https://fedramp.gov/ns/oscal'])  = count(./prop[@name='authentication-method' and @ns='https://fedramp.gov/ns/oscal']/remarks)" level="ERROR">
                 <formal-name>Authentication Method Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
@@ -545,6 +545,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>A FedRAMP SSP system implementation section MUST have at least two inventory items.</message>
             </expect>
+            <expect id="inter-boundary-component-direction-incoming-has-ipv-uri" target="$inter-boundary-component" test="if (prop[@name='direction' and @value='incoming']) then exists(prop[@class='local' and @name=('ipv4-address','ipv6-address')]) or exists(link[@rel='uri']) else true()" level="ERROR">
+               <formal-name>Inter-Boundary Incoming Communication Direction Has an IPV Address or a URI</formal-name>
+               <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
+               <message>Component {@uuid} ({path(.)}) MUST have at least one local ipv4 address, ipv6 address, or a URI to an API.</message>
+            </expect>
             <expect id="inter-boundary-component-has-direction" target="$inter-boundary-component" test="count(prop[@name='direction']) >= 1 and count(prop[@name='direction' and @value='incoming']) &lt;= 1 and count(prop[@name='direction' and @value='outgoing']) &lt;= 1" level="ERROR">
                 <formal-name>Inter-Boundary Component Has Direction</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>

@@ -0,0 +1,8 @@
+# Driver for the invalid inter-boundary-component-direction-incoming-has-ipv-uri constraint unit test.
+test-case:
+  name: The invalid inter-boundary-component-direction-incoming-has-ipv-uri constraint unit test.
+  description: Test that the FedRAMP SSP inter-boundary incoming communication component does not have a local ipv4 address, ipv6 address, or a URI to an API.
+  content: ../content/ssp-inter-boundary-component-direction-incoming-has-ipv-uri-INVALID.xml
+  expectations:
+  - constraint-id: inter-boundary-component-direction-incoming-has-ipv-uri
+    result: fail
@@ -0,0 +1,8 @@
+# Driver for the valid inter-boundary-component-direction-incoming-has-ipv-uri constraint unit test.
+test-case:
+  name: The valid inter-boundary-component-direction-incoming-has-ipv-uri constraint unit test.
+  description: Test that the FedRAMP SSP inter-boundary incoming communication component has at least one local ipv4 address, ipv6 address, or a URI to an API.
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+  - constraint-id: inter-boundary-component-direction-incoming-has-ipv-uri
+    result: pass