SAR: Attestations

[markXLIX]

Extended Description -As an ASAP developer, in order to assist FedRAMP reviewers, I want to ensure that a result has appropriate attestation information.

Acceptance Criteria

• [x] All Schematron assertion messages are declarative statements which affirm the positive test outcome.
• [x] All Schematron assertion diagnostic messages are declarative statements which explain the negative test outcome.
• [x] The Schematron code has no assertion failures when validated using src/validations/styleguides/sch.sch using the basic phase.
• [x] XSpec unit tests for positive and negative Schematron assertion outcomes accompany all Schematron assertions (where feasible).
• [x] result elements have attestation/part[@name='authorization-statements']/prop with attributes @ns='https://fedramp.gov/ns/oscal' and @name='recommend-authorization'
• [x] When the above, check the @value value. When any value other than 'yes' the first paragraph of the first part child 'authorization-statement' must conform to the following: "A total of [# of risks] system risks were identified for [system name], including [#high] High risks, [#moderate] Moderate risks, [#low] Low risks, and [#operationally-required] of operationally required risks."
• [x] Each risk element may have a prop with a @name='priority' and @ns='https://fedramp.gov/ns/oscal'. If it does then the value must be a number that is unique among the risk elements.

Definition of Done

• [x] Acceptance criteria met
• [ ] Unit test coverage of our code > 95%
• [ ] Automated code quality checks passed
• [ ] Security reviewed and reported
• [ ] Reviewed against plain language guidelines
• [ ] Code must be self-documenting
• [ ] No local tech debt
• [ ] Load/performance tests passed – needs to be created/automated
• [ ] Documentation updated
• [ ] Architectural Decision Record completed as necessary for significant design choices
• [ ] PR reviewed & approved
• [ ] Source code merged