SSP Completeness Checks: Appendix E Digital Identity Worksheet

[brian-ruf]

This is a ...

fix - something needs to be different

This relates to ...

• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

User Story

As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:

• Check for presence of DIL values
• Check that the DIL values align with the security-sensitivity-level per the FedRAMP DIL Worksheet (Low: 1/1/1, Moderate: 2/2/2, High: 3/3/3)

Goals

SSP Completeness checks are defined, tested and documented

Dependencies

No response

Acceptance Criteria

• [ ] All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] all constraints associated with the review task have been converted/created
• [ ] automate.fedramp.gov content has been updated accordingly
• [ ] the metaschema help prop has an appropriate link to the constraint
• [ ] the template has an content that models the desired OSCAL presentation
• [ ] the constraint runs against the example template
• [ ] known-bad content has been created
• [ ] the constraint appropriately flags the known-bad content as invalid

Other information

No response

[brian-ruf]

This is barely a task.

Target: target="//system-characteristics"

Presence:

• count(./prop[@name='identity-assurance-level']) = 1
• count(./prop[@name='authenticator-assurance-level']) = 1
• count(./prop[@name='federation-assurance-level']) = 1

Alignment:

• If fips-199-low, IAL, AAL, and FAL should all be "1"
• If fips-199-moderate, IAL, AAL, and FAL should all be "2"
• If fips-199-high, IAL, AAL, and FAL should all be "3"

count( //system-characteristics [

( ./security-sensitivity-level/text() = "fips-199-low" and ./prop[(@name='identity-assurance-level' and @value='1')] and ./prop[(@name='authenticator-assurance-level' and @value='1')] and ./prop[(@name='federation-assurance-level' and @value='1')] ) or ( ./security-sensitivity-level/text() = "fips-199-moderate" and ./prop[(@name='identity-assurance-level' and @value='2')] and ./prop[(@name='authenticator-assurance-level' and @value='2')] and ./prop[(@name='federation-assurance-level' and @value='2')] ) or ( ./security-sensitivity-level/text() = "fips-199-high" and ./prop[(@name='identity-assurance-level' and @value='3')] and ./prop[(@name='authenticator-assurance-level' and @value='3')] and ./prop[(@name='federation-assurance-level' and @value='3')] )

] ) = 1

![Screenshot 2024-11-25 231841](https://github.com/user-attachments/assets/d3db00ea-ce67-415f-bac6-47ec4480c2d5)