SSP Completeness Checks: 9 Services, Ports, and Protocols

[brian-ruf]

This is a ...

fix - something needs to be different

This relates to ...

• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

User Story

As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:

• There should always be some PPS
• Need some analysis as to:
  • exact data that should be present
  • Minimum and typical number of entries
  • Alignment with components
  • For example an RDBMS should have at least a SQL port

Goals

SSP Completeness checks are defined, tested and documented

Dependencies

No response

Acceptance Criteria

• [ ] All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] all constraints associated with the review task have been converted/created
• [ ] automate.fedramp.gov content has been updated accordingly
• [ ] the metaschema help prop has an appropriate link to the constraint
• [ ] the template has an content that models the desired OSCAL presentation
• [ ] the constraint runs against the example template
• [ ] known-bad content has been created
• [ ] the constraint appropriately flags the known-bad content as invalid

Other information

No response

[brian-ruf]

Per @aj-stein-gsa: Check #881 and #882 for alignment with this issue.

[brian-ruf]

[I wrote this comment almost two weeks ago, but just found it unsaved in a browser tab.]

881 is focused on the presence of //inventory-item.

PPS is addressed strictly using //component. While there is a relationship between the two, the scope of #881 does not impact this issue.

Similarly #882 is specifically about inventory items having an asset-id. This also has no impact to our approach to modeling PPS for FedRAMP SSPs.

[aj-stein-gsa]

PPS is addressed strictly using //component. While there is a relationship between the two, the scope of #881 does not impact this issue.

Similarly #882 is specifically about inventory items having an asset-id. This also has no impact to our approach to modeling PPS for FedRAMP SSPs.

By the time we moved ahead the work was almost done, so I let it go (I realized I had not properly categorized the constraints, but the scope of work was clear and in review before I could recategorize). Apologies. 🤦

So I should have update this issue and had not.