Add system-characteristics 'has-assurance-level' constraints (#701)

* Add system-characteristics 'has-assurance-level' constraints & tests

* Make uniform wording for informational findings per PR review

---------

Co-authored-by: A.J. Stein <[email protected]>

features/fedramp_extensions.feature

@@ -43,8 +43,14 @@ Examples:
   | data-center-us-PASS.yaml |
   | deployment-mode-FAIL.yaml |
   | deployment-mode-PASS.yaml |
+  | has-authenticator-assurance-level-FAIL.yaml |
+  | has-authenticator-assurance-level-PASS.yaml |
   | has-configuration-management-plan-FAIL.yaml |
   | has-configuration-management-plan-PASS.yaml |
+  | has-federation-assurance-level-FAIL.yaml |
+  | has-federation-assurance-level-PASS.yaml |
+  | has-identity-assurance-level-FAIL.yaml |
+  | has-identity-assurance-level-PASS.yaml |
   | has-incident-response-plan-FAIL.yaml |
   | has-incident-response-plan-PASS.yaml |
   | has-information-system-contingency-plan-FAIL.yaml |
@@ -71,12 +77,12 @@ Examples:
   | resource-has-title-PASS.yaml |
   | response-point-FAIL.yaml |
   | response-point-PASS.yaml |
-  | role-defined-system-owner-FAIL.yaml |
-  | role-defined-system-owner-PASS.yaml |
   | role-defined-authorizing-official-poc-FAIL.yaml |
   | role-defined-authorizing-official-poc-PASS.yaml |
   | role-defined-information-system-security-officer-FAIL.yaml |
   | role-defined-information-system-security-officer-PASS.yaml |
+  | role-defined-system-owner-FAIL.yaml |
+  | role-defined-system-owner-PASS.yaml |
   | scan-type-FAIL.yaml |
   | scan-type-PASS.yaml |
   | user-type-FAIL.yaml |
@@ -110,7 +116,10 @@ Examples:
   | data-center-country-code |
   | data-center-primary |
   | deployment-model |
+  | has-authenticator-assurance-level |
   | has-configuration-management-plan |
+  | has-federation-assurance-level |
+  | has-identity-assurance-level |
   | has-incident-response-plan |
   | has-information-system-contingency-plan |
   | has-rules-of-behavior |
@@ -124,9 +133,9 @@ Examples:
   | prop-response-point-has-cardinality-one |
   | resource-has-base64-or-rlink |
   | resource-has-title |
-  | role-defined-system-owner |
   | role-defined-authorizing-official-poc |
   | role-defined-information-system-security-officer |
+  | role-defined-system-owner |
   | scan-type |
   | user-type |
 #END_DYNAMIC_CONSTRAINT_IDS

src/validations/constraints/content/ssp-all-VALID.xml

@@ -78,6 +78,9 @@
     <prop name='cloud-deployment-model' value='government-only-cloud' ns="https://fedramp.gov/ns/oscal"/>
     <prop name='cloud-service-model' value='other' ns="https://fedramp.gov/ns/oscal"/>
     <prop name='authorization-type' value='fedramp-agency' ns="https://fedramp.gov/ns/oscal"/>
+    <prop name="identity-assurance-level" value="2"/>
+    <prop name="authenticator-assurance-level" value="2"/>
+    <prop name="federation-assurance-level" value="2"/>
     <security-sensitivity-level>moderate</security-sensitivity-level>
     <system-information>
       <information-type  uuid="33333333-0000-4000-9000-000000000003">

src/validations/constraints/fedramp-external-constraints.xml

@@ -59,9 +59,18 @@
             <expect id="categorization-has-correct-system-attribute" target="./system-characteristics" test="system-information/information-type/categorization/@system eq 'https://doi.org/10.6028/NIST.SP.800-60v2r1'" level="ERROR">
             <message>A FedRAMP SSP information-type categorization requires a correct system attribute. FedRAMP only supports the system value 'https://doi.org/10.6028/NIST.SP.800-60v2r1'.</message>
             </expect>
-            <expect id="categorization-has-information-type-id" target="//system-characteristics" test="system-information/information-type/categorization/information-type-id" level="ERROR">
+            <expect id="categorization-has-information-type-id" target="./system-characteristics" test="system-information/information-type/categorization/information-type-id" level="ERROR">
             <message>A FedRAMP SSP information type categorization must have at least one information type identifier.</message>
             </expect>
+            <expect id="has-identity-assurance-level" target="./system-characteristics" test="prop[@name eq 'identity-assurance-level']" level="INFORMATIONAL">
+            <message>This FedRAMP SSP does define its NIST SP 800-63 identity assurance level (IAL).</message>
+            </expect>
+            <expect id="has-authenticator-assurance-level" target="./system-characteristics" test="prop[@name eq 'authenticator-assurance-level']" level="INFORMATIONAL">
+            <message>This FedRAMP SSP does define its NIST SP 800-63 authenticator assurance level (AAL).</message>
+            </expect>
+            <expect id="has-federation-assurance-level" target="./system-characteristics" test="prop[@name eq 'federation-assurance-level']" level="INFORMATIONAL">
+            <message>This FedRAMP SSP does define its NIST SP 800-63 federation assurance level (IAL).</message>
+            </expect>
         </constraints>
     </context>
     <context>

src/validations/constraints/unit-tests/has-authenticator-assurance-level-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-authenticator-assurance-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-authenticator-assurance-level
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-authenticator-assurance-level
+      result: fail

src/validations/constraints/unit-tests/has-authenticator-assurance-level-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-authenticator-assurance-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-authenticator-assurance-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-authenticator-assurance-level
+      result: pass

src/validations/constraints/unit-tests/has-federation-assurance-level-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-federation-assurance-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-federation-assurance-level
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-federation-assurance-level
+      result: fail

src/validations/constraints/unit-tests/has-federation-assurance-level-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-federation-assurance-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-federation-assurance-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-federation-assurance-level
+      result: pass

src/validations/constraints/unit-tests/has-identity-assurance-level-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-identity-assurance-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-identity-assurance-level
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-identity-assurance-level
+      result: fail

src/validations/constraints/unit-tests/has-identity-assurance-level-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-identity-assurance-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-identity-assurance-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-identity-assurance-level
+      result: pass