Skip to content

Commit

Permalink
Merge pull request #459 from GSA/rev4-ssp-sch-xspec-remove-automation…
Browse files Browse the repository at this point in the history 
…-control-validations-issue-454

Rev 4 SSP Schematron XSpec - remove automation control validations
  • Loading branch information
@dimitri-zhurkin-vitg
dimitri-zhurkin-vitg authored Jul 26, 2023
2 parents acc7f6c + 70316ea commit b3725da
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 194 deletions.
44 changes: 0 additions & 44 deletions src/validations/rules/rev4/ssp.sch
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3338,21 +3338,6 @@
<sch:let
name="implemented-controls"
value="oscal:implemented-requirement/@control-id ! xs:string(.)" />
<sch:let
name="automation-controls"
value="$fedramp-values//fedramp:value-set[@name eq 'automation-control-id']//fedramp:enum/@value ! xs:string(.)" />
<sch:let
name="required-automation-controls"
value="$automation-controls[. = $required-controls]" />
<sch:let
name="missing-required-automation-controls"
value="$required-automation-controls[not(. = $implemented-controls)]" />
<sch:assert
diagnostics="automation-control-exists-diagnostic"
fedramp:specific="true"
id="automation-control-exists"
role="error"
test="count($missing-required-automation-controls) eq 0">Every required automation control is implemented.</sch:assert>
</sch:rule>
<sch:rule
context="oscal:implemented-requirement"
Expand All @@ -3363,25 +3348,6 @@
<sch:let
name="selected-profile"
value="$sensitivity-level => lv:profile()" />
<sch:let
name="automation-controls"
value="$fedramp-values//fedramp:value-set[@name eq 'automation-control-id']//fedramp:enum/@value ! xs:string(.)" />
<sch:assert
diagnostics="automation-control-is-implemented-diagnostic"
fedramp:specific="true"
id="automation-control-is-implemented"
role="error"
test="
if (@control-id = $automation-controls)
then
(
if (exists(oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name = 'implementation-status' and @value eq 'implemented']))
then
(true())
else
(false()))
else
(true())">Every automation control is fully implemented.</sch:assert>
<sch:assert
diagnostics="implemented-requirement-has-implementation-status-diagnostic"
doc:guide-reference="Guide to OSCAL-based FedRAMP System Security Plans §5.3"
Expand Down Expand Up @@ -5215,16 +5181,6 @@
doc:context="oscal:import-profile"
id="import-profile-resolves-to-catalog-diagnostic">The import-profile element has an href attribute that does not reference a resolved
baseline profile catalog document.</sch:diagnostic>
<sch:diagnostic
doc:assertion="automation-control-exists"
doc:context="oscal:control-implementation"
id="automation-control-exists-diagnostic">The SSP document does not contain the following implemented requirement(s) <sch:value-of
select="$missing-required-automation-controls" />.</sch:diagnostic>
<sch:diagnostic
doc:assertion="automation-control-is-implemented"
doc:context="oscal:implemented-requirement"
id="automation-control-is-implemented-diagnostic">The technical control implementation <sch:value-of
select="@control-id" /> does not have an implementation status of 'implemented'.</sch:diagnostic>
<sch:diagnostic
doc:assertion="implemented-requirement-has-implementation-status"
doc:context="oscal:implemented-requirement"
Expand Down
150 changes: 0 additions & 150 deletions src/validations/test/rules/rev4/ssp.xspec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9495,156 +9495,6 @@
label="that is an error" />
</x:scenario>
</x:scenario>
<x:scenario
label="An automation control must be implemented.">
<x:scenario
label="When that is true">
<x:context>
<system-security-plan
xmlns="http://csrc.nist.gov/ns/oscal/1.0">
<control-implementation>
<implemented-requirement
control-id="ac-2.1">
<prop
name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented" />
</implemented-requirement>
</control-implementation>
</system-security-plan>
</x:context>
<x:expect-not-assert
id="automation-control-is-implemented"
label="that is correct" />
</x:scenario>
<x:scenario
label="When that is false">
<x:context>
<system-security-plan
xmlns="http://csrc.nist.gov/ns/oscal/1.0">
<control-implementation>
<implemented-requirement
control-id="ac-2.1">
<prop
name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="partial" />
</implemented-requirement>
</control-implementation>
</system-security-plan>
</x:context>
<x:expect-assert
id="automation-control-is-implemented"
label="that is an error" />
</x:scenario>
</x:scenario>
<x:scenario
label="The defined automation controls are available in the SSP document.">
<x:scenario
label="When that is true">
<x:context>
<system-security-plan
xmlns="http://csrc.nist.gov/ns/oscal/1.0">
<system-characteristics>
<security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
</system-characteristics>
<control-implementation>
<implemented-requirement
control-id="ac-2.1" />
<implemented-requirement
control-id="ac-12" />
<implemented-requirement
control-id="ac-18.3" />
<implemented-requirement
control-id="au-6.1" />
<implemented-requirement
control-id="au-3.2" />
<implemented-requirement
control-id="au-6.4" />
<implemented-requirement
control-id="au-7.1" />
<implemented-requirement
control-id="at-3.4" />
<implemented-requirement
control-id="ca-7" />
<implemented-requirement
control-id="cm-2.2" />
<implemented-requirement
control-id="cm-3.1" />
<implemented-requirement
control-id="cm-3.6" />
<implemented-requirement
control-id="cm-6.1" />
<implemented-requirement
control-id="cm-8.3" />
<implemented-requirement
control-id="cm-11" />
<implemented-requirement
control-id="cp-10" />
<implemented-requirement
control-id="ir-4.1" />
<implemented-requirement
control-id="ir-5.1" />
<implemented-requirement
control-id="ir-6.1" />
<implemented-requirement
control-id="pe-3" />
<implemented-requirement
control-id="pe-8.1" />
<implemented-requirement
control-id="pe-11.1" />
<implemented-requirement
control-id="pe-13.1" />
<implemented-requirement
control-id="pe-13.2" />
<implemented-requirement
control-id="pe-13.3" />
<implemented-requirement
control-id="pe-15.1" />
<implemented-requirement
control-id="ps-4.2" />
<implemented-requirement
control-id="sc-23.1" />
<implemented-requirement
control-id="si-2.2" />
<implemented-requirement
control-id="si-3.2" />
<implemented-requirement
control-id="si-4.2" />
<implemented-requirement
control-id="si-5.1" />
<implemented-requirement
control-id="si-7.2" />
<implemented-requirement
control-id="si-7.5" />
<implemented-requirement
control-id="si-8.2" />
</control-implementation>
</system-security-plan>
</x:context>
<x:expect-not-assert
id="automation-control-exists"
label="that is correct" />
</x:scenario>
<x:scenario
label="When that is false">
<x:context>
<system-security-plan
xmlns="http://csrc.nist.gov/ns/oscal/1.0">
<system-characteristics>
<security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
</system-characteristics>
<control-implementation>
<implemented-requirement
control-id="ac-2.10" />
</control-implementation>
</system-security-plan>
</x:context>
<x:expect-assert
id="automation-control-exists"
label="that is an error" />
</x:scenario>
</x:scenario>
<x:scenario
label="An implemented control must include required response point statements.">
<x:scenario
Expand Down

0 comments on commit b3725da

Please sign in to comment.