Deployment Model and Service Model Checks

[ohsh6o]

Extended Description

As a FedRAMP reviewer, in order to ensure FedRAMP authorizes a CSP for the right kind of agency audience and deployment, I want to check the type of CSP deployment model and service model make sense.

Example: If the CSP indicates "Public" cloud is it deployed to a cloud that allows public access (i.e., not Government only IaaS)?

Preconditions N/A

Acceptance Critera

• A validation to confirm a properly selected combination of deployment model and service model.

Story Tasks

• [x] Create Schematron assertions and related unit tests

Definition of Done

Unrelated items are struck through.

• [x] Acceptance criteria met - Each user story should meet the acceptance criteria in the description
• [x] Unit test coverage of our code > 90% (from QASP) this may be fuzzy and hard to prove
• [x] Code quality checks passed - Enable html tidy with XML code standards as part of the build (from QASP) - [ ] Accessibility: (from QASP) as we create guidance or documentation and reports (semantic tagging including aria tags): demonstrate with 0 errors reported for WCAG 2.1 AA standards using an automated scanner and 0 errors reported in manual testing
• [x] Code reviewed - Code reviewed by at least one other team members (or developed by a pair)
• [x] Source code merged - Code that’s demoed must be in source control and merged
• [x] Code must successfully build and deploy into staging environment (from QASP): this may evolve from xslt sh pipline into something more ~~- [ ] Security reviewed and reported - Conduct vulnerability and compliance scanning. threat modeling? ~~ - [ ] Code submitted must be free of medium- and high-level static and dynamic security vulnerabilities (from QASP) - [ ] Usability tests passed - Each user story should be easy to use by target users (development community? FedRAMP FART team) - [ ] Usability testing and other user research methods must be conducted at regular intervals throughout the development process (not just at the beginning or end). (from QASP)
• [x] Code refactored for clarity - Code must be clean, self-documenting
• [x] No local design debt
• [x] Load/performance tests passed - test data needed - saxon instrumentation - [ ] Documentation generated - update readme or contributing markdown as necessary. - [ ] Architectural Decision Record completed as necessary for significant design choices

[GaryGapinski]

"Example: If the CSP indicates "Public" cloud is it deployed to a cloud that allows public access (i.e., not Government only IaaS)?" cannot be inferred using just cloud-service-model and cloud-deployment-model. The former must be chosen from (saas, paas, iaas, other) and the latter from (public-cloud, private-cloud, government-only-cloud, hybrid-cloud, other). Any and all values may be present for each (they are checkbox items).

I do not see how combinations of these alone can be determined to "make sense".

Public cloud necessity can be inferred from any inventory component or item which has its public property set affirmatively but the actual cloud providers employed do not appear to have a strict definition in the SSP (and such a definition would have to assert it was a cloud with desired attributes). Were a component to be used for such, the related component type constraints would require augmentation and additional attributes likely needed.

Somewhat related, since a system's exposure to "public" can be inferred from its inventory, then every (IP-networked) inventory-item must have an IPv6 address.

[GaryGapinski]

Schematron coded. XSpec not yet.

[ohsh6o]

"Example: If the CSP indicates "Public" cloud is it deployed to a cloud that allows public access (i.e., not Government only IaaS)?" cannot be inferred using just cloud-service-model and cloud-deployment-model. The former must be chosen from (saas, paas, iaas, other) and the latter from (public-cloud, private-cloud, government-only-cloud, hybrid-cloud, other). Any and all values may be present for each (they are checkbox items).

I do not see how combinations of these alone can be determined to "make sense".

Public cloud necessity can be inferred from any inventory component or item which has its public property set affirmatively but the actual cloud providers employed do not appear to have a strict definition in the SSP (and such a definition would have to assert it was a cloud with desired attributes). Were a component to be used for such, the related component type constraints would require augmentation and additional attributes likely needed.

Somewhat related, since a system's exposure to "public" can be inferred from its inventory, then every (IP-networked) inventory-item must have an IPv6 address.

@GaryGapinski, I will have to have a think about this one. Perhaps it is something we need to discuss with the FART in a weekly email/discussion as agreed.

[GaryGapinski]

Related: the "DRAFT - Agency Authorization Review Report - DRAFT" has section B item 1b "Is the correct Deployment Model chosen for the system?"