As an ASAP Developer, in order to provide FedRAMP reviewers visibility into the existence of Risk Adjustments, I want to identify these risks and confirm that they are correctly labeled.
Acceptance Criteria
[x] All Schematron assertion messages are declarative statements which affirm the positive test outcome.
[x] All Schematron assertion diagnostic messages are declarative statements which explain the negative test outcome.
[x] The Schematron code has no assertion failures when validated using src/validations/styleguides/sch.sch using the basic phase.
[x] XSpec unit tests for positive and negative Schematron assertion outcomes accompany all Schematron assertions (where feasible).
[x] identify a risk that is a risk adjustment by first finding the observation with type='risk-adjustment'. Match the uuid to a finding/related-observation/@observation-uuid.
[x] a relevant-evidence/link/@href value (that starts with an '#') of the above observation must match a resource/@uuid in the back-matter
[x] A risk with a prop[@ns="https://fedramp.gov/ns/oscal" @name="risk-adjustment"] has a mitigating-factor child with a @implementation-uuid. Check that this value matches an SSP control-implementatoin statement. issue a warning if it does not.
Definition of Done
[x] Acceptance criteria met
[x] Unit test coverage of our code > 95%
[x] Automated code quality checks passed
[x] Security reviewed and reported
[x] Reviewed against plain language guidelines
[x] Code must be self-documenting
[x] No local tech debt
[x] Load/performance tests passed – needs to be created/automated
[x] Documentation updated
[x] Architectural Decision Record completed as necessary for significant design choices
Extended Description
Acceptance Criteria
src/validations/styleguides/sch.sch
using thebasic
phase.Definition of Done