Check FIPS-199 Categorization Consistency with Information Types

[ohsh6o]

Extended Description

• As an OSCAL validation producer, in order to ensure proper SSP FIPS 199 categorization has occurred, I want to have sufficient validations to accomplish that goal.

Refer to _Guide to OSCAL-based FedRAMP System Security Plans_ §4.2, §4.3, §4.4.

Refer to SSP Schematron patterns fips-140, sp800-60.

The overall FIPS 199 categorization of a system is stated in SSP <security-sensitivity-level>. FIPS 199 describes how this is determined.

The types of information maintained within a system are specified in SSP <system-information> <information-type> elements. Each <information-type> has base (required) and selected (optional) security impact levels. Information types can be found in NIST SP 800-60 v2r1. There is also https://github.com/18F/fedramp-automation/blob/develop/dist/content/resources/xml/information-types.xml.

NIST SP 800-60 v1r1 describes the categorization process. Note that the process can result in adjustments. These adjustments are noted within <information-type> impacts.

<security-impact-level> is the result of the categorization process. It's subordinate elements should be consonant with <security-sensitivity-level> and the (composite) <information-type> selected impacts.

In other words, the categorization process resulted in selections which are consonant with one another in these SSP areas.

Acceptance Criteria

• [x] Validations exist which ensure consonance within FIPS 199 and SP 800-60 SSP elements.
• [x] All Schematron assertion messages are declarative statements which affirm the positive test outcome.
• [x] All Schematron assertion diagnostic messages are declarative statements which explain the negative test outcome.
• [x] The Schematron code has no assertion failures when validated using src/validations/styleguides/sch.sch using the basic phase.
• [x] XSpec unit tests for positive and negative Schematron assertion outcomes accompany all Schematron assertions (where feasible).
• [x] There are at least two Schematron assertions (more are quite possible depending on coding preferences) to minimally assert that
  • [x] Every <security-impact-level> child element is correctly derived from the corresponding category impact set gathered from all (one or more) information types.
  • [x] <security-sensitivity-level> is correctly derived from the CIA impact set.

Story Tasks

• [x] Create Schematron assertions which ensure consonance within FIPS 199 and SP 800-60 SSP elements.

Definition of Done

• [x] Acceptance criteria met
• [x] Unit test coverage of our code > 95%
• [x] Automated code quality checks passed
• [x] Security reviewed and reported
• [x] Reviewed against plain language guidelines
• [x] Code must be self-documenting
• [x] No local tech debt
• [x] Load/performance tests passed – needs to be created/automated
• [x] Documentation updated
• [x] Architectural Decision Record completed as necessary for significant design choices
• [x] PR reviewed & approved
• [x] Source code merged

[GaryGapinski]

What is the question?

[markXLIX]

This is a lot of links without any specific requirements. It is unlikely that a person outside the security domain is going to be able to create correct validations.

[GaryGapinski]

This is a lot of links without any specific requirements. It is unlikely that a person outside the security domain is going to be able to create correct validations.

That is not a question.

[markXLIX]

consonant

No it is not.

[GaryGapinski]

FIPS 199 describes the categorization process in a more concise way (compared to SP 800-60), but from an OSCAL aspect the (1 or more) information types (<information-type>) each have confidentiality, integrity, and availability impacts. Each impact has a required base value and optional selected value. The highest (low < moderate < high) impact of all the respective confidentiality, integrity, and availability base and selected values determines the respective values of <security-impact-level> respective child elements. The validation should affirm that is the case. Additionally, the badly-named <security-sensitivity-level> (FIPS 199 categorization) should be the highest (low < moderate < high) impact of the <security-impact-level> child elements.

One Schematron assertion message could be "The security impact levels are consonant with the information types." Another Schematron assertion message could be "The security sensitivity level is consonant with the security impact levels."