Created
August 13, 2021 21:02
-
-
Save ohsh6o/1699a36fb8aa0c02fcfcea37222a45de to your computer and use it in GitHub Desktop.
FedRAMP Validation Business Rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE HTML> | |
| <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>FedRAMP Validation Logic</title><style>caption { font-weight: bold; font-size: large; } thead tr { background-color: #e0e0e0; color: inherit; } thead th { vertical-align: bottom; text-align: left; white-space: normal; } thead td { } tbody tr { vertical-align: top; } tbody th { text-align: left; background-color: #e8e8e8; color: inherit; } tbody tr { background-color: #f0f0f0; color: inherit; } code code { color: inherit; } .highlight { background-color: powderblue; } .highlight-missed { background-color: yellow; } .missing { background-color: orange; } .NB { background-color: thistle; } .FedRAMP-ns { background-color: chartreuse; } .context-item { font-variant: small-caps; } .role-error, .role-fatal { color: red; } .role-warning { color: orange; } blockquote { background: #f9f9f9; border-left: 10px solid #ccc; margin: 1.5em 10px; padding: 0.5em 10px; quotes: "\201C" "\201D" "\2018" "\2019"; width: 50%; } *[title] { cursor: help; } .assertion, .diagnostic { font-style: italic; } .assertion, .diagnostic { /*font-weight: bold;*/ font-size: inherit; } .assertion:before, .diagnostic:before { /*content: "affirmative message: ";*/ font-style: normal; font-weight: normal; } .diagnostic:before { /*content: "diagnostic message: ";*/ font-style: normal; } .substitution { font-family: monospace; background-color: lightgrey; } span.has-assertion { text-decoration: underline; text-decoration-color: green; -moz-text-decoration-color:green; } span.lacks-assertion { text-decoration: underline; text-decoration-color: orange; -moz-text-decoration-color:orange; }</style></head><body><h1>FedRAMP Validation Logic</h1><p>Last updated August 13 2021 15:27 EDT.</p><p>Information from <a href="#fedramp_values.xml"><code>fedramp_values.xml</code></a> and <a href="#FedRAMP_extensions.xml"><code>FedRAMP_extensions.xml</code></a> is presented.</p><h2>Business Rules</h2><p>References to a "checklist" are to the <cite>Agency Authorization Review Report</cite> document.</p><p>References to a "guide" are to one of the guides found <a target="_blank" href="https://github.com/18F/fedramp-automation/tree/develop/documents">here</a>.</p><table><thead><tr><th>Rule</th><th>References</th></tr></thead><tbody><tr><td><div>A FedRAMP SSP submission must provide an Executive Summary.</div></td><td><div>checklist-reference: Section A</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>A FedRAMP SSP submission must provide an Initial Authorization Package Checklist.</div></td><td><div>checklist-reference: Section B Check 1.0</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>A FedRAMP SSP submission must provide an Authority to Operate (ATO).</div></td><td><div>checklist-reference: Section B Check 2.0</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>A FedRAMP SSP must incorporate a policy document for each of the 17 NIST SP 800-54 Revision 4 control families.</div></td><td><div>checklist-reference: Section B Check 3.1</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-policy-attachment-resource</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a procedure document for each of the 17 NIST SP 800-54 Revision 4 control families.</div></td><td><div>checklist-reference: Section B Check 3.1</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-procedure-attachment-resource</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>FedRAMP SSP policy and procedure documents must have unique per-control-family associations.</div></td><td><div>checklist-reference: Section B Check 3.1</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-reuse</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a User Guide.</div></td><td><div>attachment: §15 Attachment 2</div><div>checklist-reference: Section B Check 3.2</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-user-guide</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a Digital Identity Determination.</div></td><td><div>checklist-reference: Section B Check 3.3, Section C Check 7</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>template-reference: System Security Plan Template §2.3</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-security-eauth-level</code><details><summary>Related Schematron assertions</summary><div><a href="#sp800-63">sp800-63</a></div><div><a href="#"></a></div><div><a href="#has-security-eauth-level">has-security-eauth-level</a></div><div><a href="#has-identity-assurance-level">has-identity-assurance-level</a></div><div><a href="#has-authenticator-assurance-level">has-authenticator-assurance-level</a></div><div><a href="#has-federation-assurance-level">has-federation-assurance-level</a></div><div><a href="#"></a></div><div><a href="#has-allowed-security-eauth-level">has-allowed-security-eauth-level</a></div><div><a href="#"></a></div><div><a href="#has-allowed-identity-assurance-level">has-allowed-identity-assurance-level</a></div><div><a href="#"></a></div><div><a href="#has-allowed-authenticator-assurance-level">has-allowed-authenticator-assurance-level</a></div><div><a href="#"></a></div><div><a href="#has-allowed-federation-assurance-level">has-allowed-federation-assurance-level</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a Privacy Point of Contact role.</div></td><td><div>checklist-reference: Section B Check 3.4</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6.2</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-privacy-poc-role</code><details><summary>Related Schematron assertions</summary><div><a href="#"></a></div><div><a href="#has-privacy-poc-role">has-privacy-poc-role</a></div><div><a href="#has-responsible-party-privacy-poc-role">has-responsible-party-privacy-poc-role</a></div><div><a href="#has-responsible-privacy-poc-party-uuid">has-responsible-privacy-poc-party-uuid</a></div><div><a href="#has-privacy-poc">has-privacy-poc</a></div><div><a href="#has-correct-yes-or-no-answer">has-correct-yes-or-no-answer</a></div><div><a href="#has-privacy-sensitive-designation">has-privacy-sensitive-designation</a></div><div><a href="#has-pta-question-1">has-pta-question-1</a></div><div><a href="#has-pta-question-2">has-pta-question-2</a></div><div><a href="#has-pta-question-3">has-pta-question-3</a></div><div><a href="#has-pta-question-4">has-pta-question-4</a></div><div><a href="#has-all-pta-questions">has-all-pta-questions</a></div><div><a href="#has-correct-pta-question-cardinality">has-correct-pta-question-cardinality</a></div><div><a href="#has-sorn">has-sorn</a></div><div><a href="#has-pia">has-pia</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must have all four PTA questions answered.</div></td><td><div>checklist-reference: Section B Check 3.4</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-all-pta-questions</code><details><summary>Related Schematron assertions</summary><div><a href="#has-privacy-poc-role">has-privacy-poc-role</a></div><div><a href="#has-responsible-party-privacy-poc-role">has-responsible-party-privacy-poc-role</a></div><div><a href="#has-responsible-privacy-poc-party-uuid">has-responsible-privacy-poc-party-uuid</a></div><div><a href="#has-privacy-poc">has-privacy-poc</a></div><div><a href="#"></a></div><div><a href="#has-correct-yes-or-no-answer">has-correct-yes-or-no-answer</a></div><div><a href="#"></a></div><div><a href="#has-privacy-sensitive-designation">has-privacy-sensitive-designation</a></div><div><a href="#has-pta-question-1">has-pta-question-1</a></div><div><a href="#has-pta-question-2">has-pta-question-2</a></div><div><a href="#has-pta-question-3">has-pta-question-3</a></div><div><a href="#has-pta-question-4">has-pta-question-4</a></div><div><a href="#has-all-pta-questions">has-all-pta-questions</a></div><div><a href="#has-correct-pta-question-cardinality">has-correct-pta-question-cardinality</a></div><div><a href="#has-sorn">has-sorn</a></div><div><a href="#"></a></div><div><a href="#has-pia">has-pia</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate Rules of Behavior.</div></td><td><div>attachment: §15 Attachment 5</div><div>checklist-reference: Section B Check 3.5</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-rules-of-behavior</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a Contingency Plan.</div></td><td><div>attachment: §15 Attachment 6</div><div>checklist-reference: Section B Check 3.6</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-information-system-contingency-plan</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a Configuration Management Plan.</div></td><td><div>attachment: §15 Attachment 7</div><div>checklist-reference: Section B Check 3.7</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-configuration-management-plan</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate an Incident Response Plan.</div></td><td><div>attachment: §15 Attachment 8</div><div>checklist-reference: Section B Check 3.8</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-incident-response-plan</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a Control Implementation Summary (CIS) Workbook.</div></td><td><div>attachment: §15 Attachment 8</div><div>checklist-reference: Section B Check 3.8</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-incident-response-plan</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must specify a FIPS 199 categorization.</div></td><td><div>checklist-reference: Section B Check 3.10</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.4</div><div>template-reference: System Security Plan Template §2</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-security-sensitivity-level</code><details><summary>Related Schematron assertions</summary><div><a href="#fips-199">fips-199</a></div><div><a href="#"></a></div><div><a href="#has-security-sensitivity-level">has-security-sensitivity-level</a></div><div><a href="#has-security-impact-level">has-security-impact-level</a></div><div><a href="#"></a></div><div><a href="#has-allowed-security-sensitivity-level">has-allowed-security-sensitivity-level</a></div><div><a href="#"></a></div><div><a href="#has-security-objective-confidentiality">has-security-objective-confidentiality</a></div><div><a href="#has-security-objective-integrity">has-security-objective-integrity</a></div><div><a href="#has-security-objective-availability">has-security-objective-availability</a></div><div><a href="#"></a></div><div><a href="#has-allowed-security-objective-value">has-allowed-security-objective-value</a></div><div><a href="#system-information-has-information-type">system-information-has-information-type</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a Separation of Duties Matrix.</div></td><td><div>attachment: §15 Attachment 11</div><div>checklist-reference: Section B Check 3.11</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>template-reference: System Security Plan Template §15</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-separation-of-duties-matrix</code><details><summary>Related Schematron assertions</summary><div><a href="#resource-uuid-required">resource-uuid-required</a></div><div><a href="#"></a></div><div><a href="#has-user-guide">has-user-guide</a></div><div><a href="#has-rules-of-behavior">has-rules-of-behavior</a></div><div><a href="#has-information-system-contingency-plan">has-information-system-contingency-plan</a></div><div><a href="#has-configuration-management-plan">has-configuration-management-plan</a></div><div><a href="#has-incident-response-plan">has-incident-response-plan</a></div><div><a href="#has-separation-of-duties-matrix">has-separation-of-duties-matrix</a></div><div><a href="#policy-and-procedure">policy-and-procedure</a></div><div><a href="#"></a></div><div><a href="#has-policy-link">has-policy-link</a></div><div><a href="#has-policy-attachment-resource">has-policy-attachment-resource</a></div><div><a href="#has-procedure-link">has-procedure-link</a></div><div><a href="#has-procedure-attachment-resource">has-procedure-attachment-resource</a></div><div><a href="#"></a></div><div><a href="#has-reuse">has-reuse</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate the FedRAMP Applicable Laws and Regulations.</div></td><td><div>attachment: §15 Attachment 12</div><div>checklist-reference: Section B Check 3.12</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP Content §4.10</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-fedramp-citations</code><details><summary>Related Schematron assertions</summary><div><a href="#"></a></div><div><a href="#resource-base64-available-filename">resource-base64-available-filename</a></div><div><a href="#resource-base64-available-media-type">resource-base64-available-media-type</a></div><div><a href="#has-fedramp-citations">has-fedramp-citations</a></div></details></td></tr><tr><td><div>Within a FedRAMP SSP, the inventory is provided in the FedRAMP Integrated Inventory Workbook.</div></td><td><div>checklist-reference: Section B Check 3.13, Section C Check 14</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-inventory-items</code><details><summary>Related Schematron assertions</summary><div><a href="#system-inventory">system-inventory</a></div><div><a href="#"></a></div><div><a href="#has-inventory-items">has-inventory-items</a></div><div><a href="#"></a></div><div><a href="#has-unique-asset-id">has-unique-asset-id</a></div><div><a href="#"></a></div><div><a href="#has-allowed-asset-type">has-allowed-asset-type</a></div><div><a href="#"></a></div><div><a href="#has-allowed-virtual">has-allowed-virtual</a></div><div><a href="#"></a></div><div><a href="#has-allowed-public">has-allowed-public</a></div><div><a href="#"></a></div><div><a href="#has-allowed-allows-authenticated-scan">has-allowed-allows-authenticated-scan</a></div><div><a href="#"></a></div><div><a href="#has-allowed-is-scanned">has-allowed-is-scanned</a></div><div><a href="#"></a></div><div><a href="#has-allowed-scan-type">has-allowed-scan-type</a></div><div><a href="#"></a></div><div><a href="#component-has-allowed-type">component-has-allowed-type</a></div><div><a href="#component-has-asset-type">component-has-asset-type</a></div><div><a href="#component-has-one-asset-type">component-has-one-asset-type</a></div><div><a href="#"></a></div><div><a href="#inventory-item-has-uuid">inventory-item-has-uuid</a></div><div><a href="#has-asset-id">has-asset-id</a></div><div><a href="#has-one-asset-id">has-one-asset-id</a></div><div><a href="#inventory-item-has-asset-type">inventory-item-has-asset-type</a></div><div><a href="#inventory-item-has-one-asset-type">inventory-item-has-one-asset-type</a></div><div><a href="#inventory-item-has-virtual">inventory-item-has-virtual</a></div><div><a href="#inventory-item-has-one-virtual">inventory-item-has-one-virtual</a></div><div><a href="#inventory-item-has-public">inventory-item-has-public</a></div><div><a href="#inventory-item-has-one-public">inventory-item-has-one-public</a></div><div><a href="#inventory-item-has-scan-type">inventory-item-has-scan-type</a></div><div><a href="#inventory-item-has-one-scan-type">inventory-item-has-one-scan-type</a></div><div><a href="#inventory-item-has-allows-authenticated-scan">inventory-item-has-allows-authenticated-scan</a></div><div><a href="#inventory-item-has-one-allows-authenticated-scan">inventory-item-has-one-allows-authenticated-scan</a></div><div><a href="#inventory-item-has-baseline-configuration-name">inventory-item-has-baseline-configuration-name</a></div><div><a href="#inventory-item-has-one-baseline-configuration-name">inventory-item-has-one-baseline-configuration-name</a></div><div><a href="#inventory-item-has-vendor-name">inventory-item-has-vendor-name</a></div><div><a href="#inventory-item-has-one-vendor-name">inventory-item-has-one-vendor-name</a></div><div><a href="#inventory-item-has-hardware-model">inventory-item-has-hardware-model</a></div><div><a href="#inventory-item-has-one-hardware-model">inventory-item-has-one-hardware-model</a></div><div><a href="#inventory-item-has-is-scanned">inventory-item-has-is-scanned</a></div><div><a href="#inventory-item-has-one-is-scanned">inventory-item-has-one-is-scanned</a></div><div><a href="#inventory-item-has-software-name">inventory-item-has-software-name</a></div><div><a href="#inventory-item-has-one-software-name">inventory-item-has-one-software-name</a></div><div><a href="#inventory-item-has-software-version">inventory-item-has-software-version</a></div><div><a href="#inventory-item-has-one-software-version">inventory-item-has-one-software-version</a></div><div><a href="#inventory-item-has-function">inventory-item-has-function</a></div><div><a href="#inventory-item-has-one-function">inventory-item-has-one-function</a></div></details></td></tr><tr><td><div>A FedRAMP SSP submission must include a Security Assessment Plan (SAP).</div></td><td><div>checklist-reference: Section B Check 4.0</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>A FedRAMP SSP submission must include a Security Assessment Report (SAR).</div></td><td><div>checklist-reference: Section B Check 5.0</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>A FedRAMP SSP submission must include Plans of Action and Milestones (POA&Ms).</div></td><td><div>checklist-reference: Section B Check 6.0</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>A FedRAMP SSP submission must include a Continuous Monitoring Plan (ConMon Plan).</div></td><td><div>checklist-reference: Section B Check 7.0</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>A FedRAMP SSP must use the correct FedRAMP SSP Template.</div></td><td><div>checklist-reference: Section C Check 1a</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>A FedRAMP SSP must use the correct FedRAMP Deployment Model.</div></td><td><div>checklist-reference: Section C Check 1b</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, all controls have at least one implementation status checkbox selected.</div></td><td><div>checklist-reference: Section C Check 2</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §5.3</div><div>organizational-id: section-c.6</div><div>template-reference: System Security Plan Template §13</div><span class="has-assertion">Has Schematron assertion</span>: <code>implemented-requirement-has-implementation-status</code><details><summary>Related Schematron assertions</summary><div><a href="#incomplete-all-implemented-requirements">incomplete-all-implemented-requirements</a></div><div><a href="#extraneous-implemented-requirements">extraneous-implemented-requirements</a></div><div><a href="#invalid-implementation-status">invalid-implementation-status</a></div><div><a href="#missing-response-points">missing-response-points</a></div><div><a href="#missing-response-components">missing-response-components</a></div><div><a href="#extraneous-response-description">extraneous-response-description</a></div><div><a href="#extraneous-response-remarks">extraneous-response-remarks</a></div><div><a href="#invalid-component-match">invalid-component-match</a></div><div><a href="#missing-component-description">missing-component-description</a></div><div><a href="#incomplete-response-description">incomplete-response-description</a></div><div><a href="#incomplete-response-remarks">incomplete-response-remarks</a></div><div><a href="#responsible-role-has-role-definition">responsible-role-has-role-definition</a></div><div><a href="#responsible-role-has-user">responsible-role-has-user</a></div><div><a href="#control-implementation">control-implementation</a></div><div><a href="#"></a></div><div><a href="#system-security-plan-has-import-profile">system-security-plan-has-import-profile</a></div><div><a href="#"></a></div><div><a href="#import-profile-has-href-attribute">import-profile-has-href-attribute</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status">implemented-requirement-has-implementation-status</a></div><div><a href="#implemented-requirement-has-planned-completion-date">implemented-requirement-has-planned-completion-date</a></div><div><a href="#implemented-requirement-has-control-origination">implemented-requirement-has-control-origination</a></div><div><a href="#implemented-requirement-has-allowed-control-origination">implemented-requirement-has-allowed-control-origination</a></div><div><a href="#implemented-requirement-has-leveraged-authorization">implemented-requirement-has-leveraged-authorization</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status-remarks">implemented-requirement-has-implementation-status-remarks</a></div><div><a href="#"></a></div><div><a href="#planned-completion-date-is-valid">planned-completion-date-is-valid</a></div><div><a href="#planned-completion-date-is-not-past">planned-completion-date-is-not-past</a></div></details></td></tr><tr><td><div>Within a FedRAMP SSP, all critical controls are implemented.</div></td><td><div>checklist-reference: Section C Check 3</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>organizational-id: section-c.3</div><span class="has-assertion">Has Schematron assertion</span>: <code>incomplete-core-implemented-requirements</code><details><summary>Related Schematron assertions</summary><div><a href="#implemented-response-points">implemented-response-points</a></div><div><a href="#"></a></div><div><a href="#each-required-control-report">each-required-control-report</a></div><div><a href="#incomplete-core-implemented-requirements">incomplete-core-implemented-requirements</a></div><div><a href="#incomplete-all-implemented-requirements">incomplete-all-implemented-requirements</a></div><div><a href="#extraneous-implemented-requirements">extraneous-implemented-requirements</a></div><div><a href="#control-implemented-requirements-stats">control-implemented-requirements-stats</a></div><div><a href="#missing-response-points">missing-response-points</a></div><div><a href="#missing-response-components">missing-response-components</a></div><div><a href="#extraneous-response-description">extraneous-response-description</a></div><div><a href="#extraneous-response-remarks">extraneous-response-remarks</a></div><div><a href="#invalid-component-match">invalid-component-match</a></div><div><a href="#missing-component-description">missing-component-description</a></div><div><a href="#incomplete-response-description">incomplete-response-description</a></div><div><a href="#incomplete-response-remarks">incomplete-response-remarks</a></div></details></td></tr><tr><td><div>Within a FedRAMP SSP, customer responsibilities are clearly identified in the CIS-CRM Tab, as well as the SSP Controls (by checkbox | |
| selected and in the implementation description). The CIS-CRM and SSP controls are consistent for customer responsibilities.</div></td><td><div>checklist-reference: Section C Check 4a</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, the Initial Authorizing Agency concurs with the CRM (adequacy and clarity of customer | |
| responsibilities).</div></td><td><div>checklist-reference: Section C Check 4b</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, the Roles Table (User Roles and Privileges) sufficiently describes the range of user roles, responsibilities, | |
| and access privileges.</div></td><td><div>checklist-reference: Section C Check 5</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, in the control summary tables, the information in the Responsible Role row correctly describes the required | |
| entities responsible for fulfilling the control.</div></td><td><div>checklist-reference: Section C Check 6</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §5.2</div><span class="has-assertion">Has Schematron assertion</span>: <code>implemented-requirement-has-responsible-role</code><details><summary>Related Schematron assertions</summary><div><a href="#implementation-roles">implementation-roles</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-responsible-role">implemented-requirement-has-responsible-role</a></div><div><a href="#"></a></div><div><a href="#responsible-role-has-role-definition">responsible-role-has-role-definition</a></div><div><a href="#responsible-role-has-user">responsible-role-has-user</a></div></details></td></tr><tr><td><div>Within a FedRAMP SSP, the appropriate Digital Identity Level is selected.</div></td><td><div>checklist-reference: Section B Check 3.3, Section C Check 7</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>template-reference: System Security Plan Template §2.3</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-security-eauth-level</code><details><summary>Related Schematron assertions</summary><div><a href="#sp800-63">sp800-63</a></div><div><a href="#"></a></div><div><a href="#has-security-eauth-level">has-security-eauth-level</a></div><div><a href="#has-identity-assurance-level">has-identity-assurance-level</a></div><div><a href="#has-authenticator-assurance-level">has-authenticator-assurance-level</a></div><div><a href="#has-federation-assurance-level">has-federation-assurance-level</a></div><div><a href="#"></a></div><div><a href="#has-allowed-security-eauth-level">has-allowed-security-eauth-level</a></div><div><a href="#"></a></div><div><a href="#has-allowed-identity-assurance-level">has-allowed-identity-assurance-level</a></div><div><a href="#"></a></div><div><a href="#has-allowed-authenticator-assurance-level">has-allowed-authenticator-assurance-level</a></div><div><a href="#"></a></div><div><a href="#has-allowed-federation-assurance-level">has-allowed-federation-assurance-level</a></div></details></td></tr><tr><td><div>Within a FedRAMP SSP, the authorization boundary is explicitly identified in the network diagram.</div></td><td><div>checklist-reference: Section C Check 8a</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, does the CSO provide components to run on the client side?</div></td><td><div>checklist-reference: Section C Check 8b</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, there is a data flow diagram that clearly illustrates the flow and protection of data going in and out of the | |
| service boundary and that includes all traffic flows for both internal and external users.</div></td><td><div>checklist-reference: Section C Check 9</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, does the CSP use any third-party or external cloud services that lack FedRAMP Authorization?</div></td><td><div>checklist-reference: Section C Check 10</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, if this is a SaaS or a PaaS, is it "leveraging" another IaaS with a FedRAMP Authorization?</div></td><td><div>checklist-reference: Section C Check 11a</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, if 11a is Yes, the "inherited" controls are clearly identified in the control descriptions.</div></td><td><div>checklist-reference: Section C Check 11b</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §5.3.1.1</div><div>template-reference: System Security Plan Template §13</div><span class="has-assertion">Has Schematron assertion</span>: <code>implemented-requirement-has-leveraged-authorization</code><details><summary>Related Schematron assertions</summary><div><a href="#incomplete-all-implemented-requirements">incomplete-all-implemented-requirements</a></div><div><a href="#extraneous-implemented-requirements">extraneous-implemented-requirements</a></div><div><a href="#invalid-implementation-status">invalid-implementation-status</a></div><div><a href="#missing-response-points">missing-response-points</a></div><div><a href="#missing-response-components">missing-response-components</a></div><div><a href="#extraneous-response-description">extraneous-response-description</a></div><div><a href="#extraneous-response-remarks">extraneous-response-remarks</a></div><div><a href="#invalid-component-match">invalid-component-match</a></div><div><a href="#missing-component-description">missing-component-description</a></div><div><a href="#incomplete-response-description">incomplete-response-description</a></div><div><a href="#incomplete-response-remarks">incomplete-response-remarks</a></div><div><a href="#responsible-role-has-role-definition">responsible-role-has-role-definition</a></div><div><a href="#responsible-role-has-user">responsible-role-has-user</a></div><div><a href="#control-implementation">control-implementation</a></div><div><a href="#"></a></div><div><a href="#system-security-plan-has-import-profile">system-security-plan-has-import-profile</a></div><div><a href="#"></a></div><div><a href="#import-profile-has-href-attribute">import-profile-has-href-attribute</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status">implemented-requirement-has-implementation-status</a></div><div><a href="#implemented-requirement-has-planned-completion-date">implemented-requirement-has-planned-completion-date</a></div><div><a href="#implemented-requirement-has-control-origination">implemented-requirement-has-control-origination</a></div><div><a href="#implemented-requirement-has-allowed-control-origination">implemented-requirement-has-allowed-control-origination</a></div><div><a href="#implemented-requirement-has-leveraged-authorization">implemented-requirement-has-leveraged-authorization</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status-remarks">implemented-requirement-has-implementation-status-remarks</a></div><div><a href="#"></a></div><div><a href="#planned-completion-date-is-valid">planned-completion-date-is-valid</a></div></details></td></tr><tr><td><div>Within a FedRAMP SSP, all interconnections are correctly identified and documented in the SSP.</div></td><td><div>checklist-reference: Section C Check 12</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, all required controls are present.</div></td><td><div>checklist-reference: Section C Check 2</div><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>organizational-id: section-c.2</div><span class="has-assertion">Has Schematron assertion</span>: <code>incomplete-all-implemented-requirements</code><details><summary>Related Schematron assertions</summary><div><a href="#implemented-response-points">implemented-response-points</a></div><div><a href="#"></a></div><div><a href="#each-required-control-report">each-required-control-report</a></div><div><a href="#incomplete-core-implemented-requirements">incomplete-core-implemented-requirements</a></div><div><a href="#incomplete-all-implemented-requirements">incomplete-all-implemented-requirements</a></div><div><a href="#extraneous-implemented-requirements">extraneous-implemented-requirements</a></div><div><a href="#control-implemented-requirements-stats">control-implemented-requirements-stats</a></div><div><a href="#invalid-implementation-status">invalid-implementation-status</a></div><div><a href="#missing-response-points">missing-response-points</a></div><div><a href="#missing-response-components">missing-response-components</a></div><div><a href="#extraneous-response-description">extraneous-response-description</a></div><div><a href="#extraneous-response-remarks">extraneous-response-remarks</a></div><div><a href="#invalid-component-match">invalid-component-match</a></div><div><a href="#missing-component-description">missing-component-description</a></div><div><a href="#incomplete-response-description">incomplete-response-description</a></div><div><a href="#incomplete-response-remarks">incomplete-response-remarks</a></div><div><a href="#incorrect-role-association">incorrect-role-association</a></div><div><a href="#incorrect-party-association">incorrect-party-association</a></div><div><a href="#responsible-role-has-role-definition">responsible-role-has-role-definition</a></div><div><a href="#responsible-role-has-user">responsible-role-has-user</a></div><div><a href="#control-implementation">control-implementation</a></div><div><a href="#"></a></div><div><a href="#system-security-plan-has-import-profile">system-security-plan-has-import-profile</a></div><div><a href="#"></a></div><div><a href="#import-profile-has-href-attribute">import-profile-has-href-attribute</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status">implemented-requirement-has-implementation-status</a></div><div><a href="#implemented-requirement-has-planned-completion-date">implemented-requirement-has-planned-completion-date</a></div><div><a href="#implemented-requirement-has-control-origination">implemented-requirement-has-control-origination</a></div><div><a href="#implemented-requirement-has-allowed-control-origination">implemented-requirement-has-allowed-control-origination</a></div><div><a href="#implemented-requirement-has-leveraged-authorization">implemented-requirement-has-leveraged-authorization</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status-remarks">implemented-requirement-has-implementation-status-remarks</a></div><div><a href="#"></a></div><div><a href="#planned-completion-date-is-valid">planned-completion-date-is-valid</a></div></details></td></tr><tr><td><div>Within a FedRAMP SSP, the CSO is compliant with DNSSEC. (Controls SC-20 and SC-21 apply).</div></td><td><div>checklist-reference: Section C Check 15</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>Within a FedRAMP SSP, the CSO adequately employs Domain-based Message Authentication, Reporting & Conformance (DMARC) | |
| requirements according to DHS BOD 18-01.</div></td><td><div>checklist-reference: Section C Check 16</div><span class="lacks-assertion">Lacks Schematron assertion(s)</span></td></tr><tr><td><div>A FedRAMP SSP must incorporate the FedRAMP Master Acronym and Glossary.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP Content §4.8</div><div>template-reference: System Security Plan Template §14</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-fedramp-acronyms</code><details><summary>Related Schematron assertions</summary><div><a href="#has-fedramp-acronyms">has-fedramp-acronyms</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate the FedRAMP Logo.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP Content §4.1</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-fedramp-logo</code><details><summary>Related Schematron assertions</summary><div><a href="#has-fedramp-logo">has-fedramp-logo</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate one or more NIST CMVP-validated cryptographic modules (FIPS 140).</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans Appendix A</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-CMVP-validation</code><details><summary>Related Schematron assertions</summary><div><a href="#fips-140">fips-140</a></div><div><a href="#"></a></div><div><a href="#has-CMVP-validation">has-CMVP-validation</a></div><div><a href="#"></a></div><div><a href="#has-CMVP-validation-reference">has-CMVP-validation-reference</a></div><div><a href="#has-CMVP-validation-details">has-CMVP-validation-details</a></div><div><a href="#"></a></div><div><a href="#has-credible-CMVP-validation-reference">has-credible-CMVP-validation-reference</a></div><div><a href="#has-consonant-CMVP-validation-reference">has-consonant-CMVP-validation-reference</a></div><div><a href="#"></a></div><div><a href="#has-credible-CMVP-validation-details">has-credible-CMVP-validation-details</a></div><div><a href="#has-consonant-CMVP-validation-details">has-consonant-CMVP-validation-details</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must specify one or more SP 800-60v2r1 information types.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>template-reference: System Security Plan Template §2.1</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-allowed-information-type-id</code><details><summary>Related Schematron assertions</summary><div><a href="#sp800-60">sp800-60</a></div><div><a href="#"></a></div><div><a href="#system-information-has-information-type">system-information-has-information-type</a></div><div><a href="#"></a></div><div><a href="#information-type-has-title">information-type-has-title</a></div><div><a href="#information-type-has-description">information-type-has-description</a></div><div><a href="#information-type-has-categorization">information-type-has-categorization</a></div><div><a href="#information-type-has-confidentiality-impact">information-type-has-confidentiality-impact</a></div><div><a href="#information-type-has-integrity-impact">information-type-has-integrity-impact</a></div><div><a href="#information-type-has-availability-impact">information-type-has-availability-impact</a></div><div><a href="#"></a></div><div><a href="#categorization-has-system-attribute">categorization-has-system-attribute</a></div><div><a href="#categorization-has-correct-system-attribute">categorization-has-correct-system-attribute</a></div><div><a href="#categorization-has-information-type-id">categorization-has-information-type-id</a></div><div><a href="#"></a></div><div><a href="#has-allowed-information-type-id">has-allowed-information-type-id</a></div><div><a href="#"></a></div><div><a href="#cia-impact-has-base">cia-impact-has-base</a></div><div><a href="#cia-impact-has-selected">cia-impact-has-selected</a></div><div><a href="#"></a></div><div><a href="#cia-impact-has-approved-fips-categorization">cia-impact-has-approved-fips-categorization</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a system inventory.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-inventory-items</code><details><summary>Related Schematron assertions</summary><div><a href="#system-inventory">system-inventory</a></div><div><a href="#"></a></div><div><a href="#has-inventory-items">has-inventory-items</a></div><div><a href="#"></a></div><div><a href="#has-unique-asset-id">has-unique-asset-id</a></div><div><a href="#"></a></div><div><a href="#has-allowed-asset-type">has-allowed-asset-type</a></div><div><a href="#"></a></div><div><a href="#has-allowed-virtual">has-allowed-virtual</a></div><div><a href="#"></a></div><div><a href="#has-allowed-public">has-allowed-public</a></div><div><a href="#"></a></div><div><a href="#has-allowed-allows-authenticated-scan">has-allowed-allows-authenticated-scan</a></div><div><a href="#"></a></div><div><a href="#has-allowed-is-scanned">has-allowed-is-scanned</a></div><div><a href="#"></a></div><div><a href="#has-allowed-scan-type">has-allowed-scan-type</a></div><div><a href="#"></a></div><div><a href="#component-has-allowed-type">component-has-allowed-type</a></div><div><a href="#component-has-asset-type">component-has-asset-type</a></div><div><a href="#component-has-one-asset-type">component-has-one-asset-type</a></div><div><a href="#"></a></div><div><a href="#inventory-item-has-uuid">inventory-item-has-uuid</a></div><div><a href="#has-asset-id">has-asset-id</a></div><div><a href="#has-one-asset-id">has-one-asset-id</a></div><div><a href="#inventory-item-has-asset-type">inventory-item-has-asset-type</a></div><div><a href="#inventory-item-has-one-asset-type">inventory-item-has-one-asset-type</a></div><div><a href="#inventory-item-has-virtual">inventory-item-has-virtual</a></div><div><a href="#inventory-item-has-one-virtual">inventory-item-has-one-virtual</a></div><div><a href="#inventory-item-has-public">inventory-item-has-public</a></div><div><a href="#inventory-item-has-one-public">inventory-item-has-one-public</a></div><div><a href="#inventory-item-has-scan-type">inventory-item-has-scan-type</a></div><div><a href="#inventory-item-has-one-scan-type">inventory-item-has-one-scan-type</a></div><div><a href="#inventory-item-has-allows-authenticated-scan">inventory-item-has-allows-authenticated-scan</a></div><div><a href="#inventory-item-has-one-allows-authenticated-scan">inventory-item-has-one-allows-authenticated-scan</a></div><div><a href="#inventory-item-has-baseline-configuration-name">inventory-item-has-baseline-configuration-name</a></div><div><a href="#inventory-item-has-one-baseline-configuration-name">inventory-item-has-one-baseline-configuration-name</a></div><div><a href="#inventory-item-has-vendor-name">inventory-item-has-vendor-name</a></div><div><a href="#inventory-item-has-one-vendor-name">inventory-item-has-one-vendor-name</a></div><div><a href="#inventory-item-has-hardware-model">inventory-item-has-hardware-model</a></div><div><a href="#inventory-item-has-one-hardware-model">inventory-item-has-one-hardware-model</a></div><div><a href="#inventory-item-has-is-scanned">inventory-item-has-is-scanned</a></div><div><a href="#inventory-item-has-one-is-scanned">inventory-item-has-one-is-scanned</a></div><div><a href="#inventory-item-has-software-name">inventory-item-has-software-name</a></div><div><a href="#inventory-item-has-one-software-name">inventory-item-has-one-software-name</a></div><div><a href="#inventory-item-has-software-version">inventory-item-has-software-version</a></div><div><a href="#inventory-item-has-one-software-version">inventory-item-has-one-software-version</a></div><div><a href="#inventory-item-has-function">inventory-item-has-function</a></div><div><a href="#inventory-item-has-one-function">inventory-item-has-one-function</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must have a FedRAMP system-id.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.1</div><div>template-reference: System Security Plan Template §1</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-system-id</code><details><summary>Related Schematron assertions</summary><div><a href="#has-system-id">has-system-id</a></div><div><a href="#has-system-name">has-system-name</a></div><div><a href="#has-system-name-short">has-system-name-short</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must have a system name.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.1</div><div>template-reference: System Security Plan Template §1</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-system-name</code><details><summary>Related Schematron assertions</summary><div><a href="#has-system-id">has-system-id</a></div><div><a href="#has-system-name">has-system-name</a></div><div><a href="#has-system-name-short">has-system-name-short</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must have a short system name.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.1</div><div>template-reference: System Security Plan Template §1</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-system-name-short</code><details><summary>Related Schematron assertions</summary><div><a href="#has-system-id">has-system-id</a></div><div><a href="#has-system-name">has-system-name</a></div><div><a href="#has-system-name-short">has-system-name-short</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must have a FedRAMP authorization type.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.2</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-fedramp-authorization-type</code><details><summary>Related Schematron assertions</summary><div><a href="#no-security-sensitivity-level">no-security-sensitivity-level</a></div><div><a href="#invalid-security-sensitivity-level">invalid-security-sensitivity-level</a></div><div><a href="#has-fedramp-authorization-type">has-fedramp-authorization-type</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must identify the system owner.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.6</div><div>template-reference: System Security Plan Template §3</div><span class="has-assertion">Has Schematron assertion</span>: <code>role-defined-system-owner</code><details><summary>Related Schematron assertions</summary><div><a href="#role-defined-system-owner">role-defined-system-owner</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must identify the authorizing official.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.7</div><div>template-reference: System Security Plan Template §4</div><span class="has-assertion">Has Schematron assertion</span>: <code>role-defined-authorizing-official</code><details><summary>Related Schematron assertions</summary><div><a href="#role-defined-authorizing-official">role-defined-authorizing-official</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must identify the system management point of contact.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.8</div><div>template-reference: System Security Plan Template §5</div><span class="has-assertion">Has Schematron assertion</span>: <code>role-defined-system-poc-management</code><details><summary>Related Schematron assertions</summary><div><a href="#role-defined-system-poc-management">role-defined-system-poc-management</a></div><div><a href="#role-defined-system-poc-technical">role-defined-system-poc-technical</a></div><div><a href="#role-defined-system-poc-other">role-defined-system-poc-other</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must identify the system technical point of contact.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.9</div><div>template-reference: System Security Plan Template §5</div><span class="has-assertion">Has Schematron assertion</span>: <code>role-defined-system-poc-technical</code><details><summary>Related Schematron assertions</summary><div><a href="#role-defined-system-poc-management">role-defined-system-poc-management</a></div><div><a href="#role-defined-system-poc-technical">role-defined-system-poc-technical</a></div><div><a href="#role-defined-system-poc-other">role-defined-system-poc-other</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must identify the system other point of contact.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.9</div><div>template-reference: System Security Plan Template §5</div><span class="has-assertion">Has Schematron assertion</span>: <code>role-defined-system-poc-other</code><details><summary>Related Schematron assertions</summary><div><a href="#role-defined-system-poc-management">role-defined-system-poc-management</a></div><div><a href="#role-defined-system-poc-technical">role-defined-system-poc-technical</a></div><div><a href="#role-defined-system-poc-other">role-defined-system-poc-other</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate an authorization boundary diagram.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>template-reference: System Security Plan Template §9.2</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-authorization-boundary</code><details><summary>Related Schematron assertions</summary><div><a href="#authorization-boundary">authorization-boundary</a></div><div><a href="#"></a></div><div><a href="#has-authorization-boundary">has-authorization-boundary</a></div><div><a href="#"></a></div><div><a href="#has-authorization-boundary-description">has-authorization-boundary-description</a></div><div><a href="#has-authorization-boundary-diagram">has-authorization-boundary-diagram</a></div><div><a href="#"></a></div><div><a href="#has-authorization-boundary-diagram-uuid">has-authorization-boundary-diagram-uuid</a></div><div><a href="#has-authorization-boundary-diagram-description">has-authorization-boundary-diagram-description</a></div><div><a href="#has-authorization-boundary-diagram-link">has-authorization-boundary-diagram-link</a></div><div><a href="#has-authorization-boundary-diagram-caption">has-authorization-boundary-diagram-caption</a></div><div><a href="#"></a></div><div><a href="#has-authorization-boundary-diagram-link-rel">has-authorization-boundary-diagram-link-rel</a></div><div><a href="#has-authorization-boundary-diagram-link-rel-allowed-value">has-authorization-boundary-diagram-link-rel-allowed-value</a></div><div><a href="#has-authorization-boundary-diagram-link-href-target">has-authorization-boundary-diagram-link-href-target</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a network-architecture diagram.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>template-reference: System Security Plan Template §9.4</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-network-architecture</code><details><summary>Related Schematron assertions</summary><div><a href="#network-architecture">network-architecture</a></div><div><a href="#"></a></div><div><a href="#has-network-architecture">has-network-architecture</a></div><div><a href="#"></a></div><div><a href="#has-network-architecture-description">has-network-architecture-description</a></div><div><a href="#has-network-architecture-diagram">has-network-architecture-diagram</a></div><div><a href="#"></a></div><div><a href="#has-network-architecture-diagram-uuid">has-network-architecture-diagram-uuid</a></div><div><a href="#has-network-architecture-diagram-description">has-network-architecture-diagram-description</a></div><div><a href="#has-network-architecture-diagram-link">has-network-architecture-diagram-link</a></div><div><a href="#has-network-architecture-diagram-caption">has-network-architecture-diagram-caption</a></div><div><a href="#"></a></div><div><a href="#has-network-architecture-diagram-link-rel">has-network-architecture-diagram-link-rel</a></div><div><a href="#has-network-architecture-diagram-link-rel-allowed-value">has-network-architecture-diagram-link-rel-allowed-value</a></div><div><a href="#has-network-architecture-diagram-link-href-target">has-network-architecture-diagram-link-href-target</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must incorporate a data-flow diagram.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>template-reference: System Security Plan Template §10.1</div><span class="has-assertion">Has Schematron assertion</span>: <code>has-data-flow</code><details><summary>Related Schematron assertions</summary><div><a href="#data-flow">data-flow</a></div><div><a href="#"></a></div><div><a href="#has-data-flow">has-data-flow</a></div><div><a href="#"></a></div><div><a href="#has-data-flow-description">has-data-flow-description</a></div><div><a href="#has-data-flow-diagram">has-data-flow-diagram</a></div><div><a href="#"></a></div><div><a href="#has-data-flow-diagram-uuid">has-data-flow-diagram-uuid</a></div><div><a href="#has-data-flow-diagram-description">has-data-flow-diagram-description</a></div><div><a href="#has-data-flow-diagram-link">has-data-flow-diagram-link</a></div><div><a href="#has-data-flow-diagram-caption">has-data-flow-diagram-caption</a></div><div><a href="#"></a></div><div><a href="#has-data-flow-diagram-link-rel">has-data-flow-diagram-link-rel</a></div><div><a href="#has-data-flow-diagram-link-rel-allowed-value">has-data-flow-diagram-link-rel-allowed-value</a></div><div><a href="#has-data-flow-diagram-link-href-target">has-data-flow-diagram-link-href-target</a></div></details></td></tr><tr><td><div>A FedRAMP SSP must employ a FedRAMP OSCAL profile.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §5.1</div><div>template-reference: System Security Plan Template §13</div><span class="has-assertion">Has Schematron assertion</span>: <code>system-security-plan-has-import-profile</code><details><summary>Related Schematron assertions</summary><div><a href="#incomplete-all-implemented-requirements">incomplete-all-implemented-requirements</a></div><div><a href="#extraneous-implemented-requirements">extraneous-implemented-requirements</a></div><div><a href="#invalid-implementation-status">invalid-implementation-status</a></div><div><a href="#missing-response-points">missing-response-points</a></div><div><a href="#missing-response-components">missing-response-components</a></div><div><a href="#extraneous-response-description">extraneous-response-description</a></div><div><a href="#extraneous-response-remarks">extraneous-response-remarks</a></div><div><a href="#invalid-component-match">invalid-component-match</a></div><div><a href="#missing-component-description">missing-component-description</a></div><div><a href="#incomplete-response-description">incomplete-response-description</a></div><div><a href="#incomplete-response-remarks">incomplete-response-remarks</a></div><div><a href="#responsible-role-has-role-definition">responsible-role-has-role-definition</a></div><div><a href="#responsible-role-has-user">responsible-role-has-user</a></div><div><a href="#control-implementation">control-implementation</a></div><div><a href="#"></a></div><div><a href="#system-security-plan-has-import-profile">system-security-plan-has-import-profile</a></div><div><a href="#"></a></div><div><a href="#import-profile-has-href-attribute">import-profile-has-href-attribute</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status">implemented-requirement-has-implementation-status</a></div><div><a href="#implemented-requirement-has-planned-completion-date">implemented-requirement-has-planned-completion-date</a></div><div><a href="#implemented-requirement-has-control-origination">implemented-requirement-has-control-origination</a></div><div><a href="#implemented-requirement-has-allowed-control-origination">implemented-requirement-has-allowed-control-origination</a></div><div><a href="#implemented-requirement-has-leveraged-authorization">implemented-requirement-has-leveraged-authorization</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status-remarks">implemented-requirement-has-implementation-status-remarks</a></div><div><a href="#"></a></div><div><a href="#planned-completion-date-is-valid">planned-completion-date-is-valid</a></div></details></td></tr><tr><td><div>Within a FedRAMP SSP, every required control must have an implementation status.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §5.3</div><div>template-reference: System Security Plan Template §13</div><span class="has-assertion">Has Schematron assertion</span>: <code>implemented-requirement-has-implementation-status</code><details><summary>Related Schematron assertions</summary><div><a href="#incomplete-all-implemented-requirements">incomplete-all-implemented-requirements</a></div><div><a href="#extraneous-implemented-requirements">extraneous-implemented-requirements</a></div><div><a href="#invalid-implementation-status">invalid-implementation-status</a></div><div><a href="#missing-response-points">missing-response-points</a></div><div><a href="#missing-response-components">missing-response-components</a></div><div><a href="#extraneous-response-description">extraneous-response-description</a></div><div><a href="#extraneous-response-remarks">extraneous-response-remarks</a></div><div><a href="#invalid-component-match">invalid-component-match</a></div><div><a href="#missing-component-description">missing-component-description</a></div><div><a href="#incomplete-response-description">incomplete-response-description</a></div><div><a href="#incomplete-response-remarks">incomplete-response-remarks</a></div><div><a href="#responsible-role-has-role-definition">responsible-role-has-role-definition</a></div><div><a href="#responsible-role-has-user">responsible-role-has-user</a></div><div><a href="#control-implementation">control-implementation</a></div><div><a href="#"></a></div><div><a href="#system-security-plan-has-import-profile">system-security-plan-has-import-profile</a></div><div><a href="#"></a></div><div><a href="#import-profile-has-href-attribute">import-profile-has-href-attribute</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status">implemented-requirement-has-implementation-status</a></div><div><a href="#implemented-requirement-has-planned-completion-date">implemented-requirement-has-planned-completion-date</a></div><div><a href="#implemented-requirement-has-control-origination">implemented-requirement-has-control-origination</a></div><div><a href="#implemented-requirement-has-allowed-control-origination">implemented-requirement-has-allowed-control-origination</a></div><div><a href="#implemented-requirement-has-leveraged-authorization">implemented-requirement-has-leveraged-authorization</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status-remarks">implemented-requirement-has-implementation-status-remarks</a></div><div><a href="#"></a></div><div><a href="#planned-completion-date-is-valid">planned-completion-date-is-valid</a></div><div><a href="#planned-completion-date-is-not-past">planned-completion-date-is-not-past</a></div></details></td></tr><tr><td><div>Within a FedRAMP SSP, planned control implementations must have a planned completion date.</div></td><td><div>guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §5.3</div><div>template-reference: System Security Plan Template §13</div><span class="has-assertion">Has Schematron assertion</span>: <code>implemented-requirement-has-planned-completion-date</code><details><summary>Related Schematron assertions</summary><div><a href="#incomplete-all-implemented-requirements">incomplete-all-implemented-requirements</a></div><div><a href="#extraneous-implemented-requirements">extraneous-implemented-requirements</a></div><div><a href="#invalid-implementation-status">invalid-implementation-status</a></div><div><a href="#missing-response-points">missing-response-points</a></div><div><a href="#missing-response-components">missing-response-components</a></div><div><a href="#extraneous-response-description">extraneous-response-description</a></div><div><a href="#extraneous-response-remarks">extraneous-response-remarks</a></div><div><a href="#invalid-component-match">invalid-component-match</a></div><div><a href="#missing-component-description">missing-component-description</a></div><div><a href="#incomplete-response-description">incomplete-response-description</a></div><div><a href="#incomplete-response-remarks">incomplete-response-remarks</a></div><div><a href="#responsible-role-has-role-definition">responsible-role-has-role-definition</a></div><div><a href="#responsible-role-has-user">responsible-role-has-user</a></div><div><a href="#control-implementation">control-implementation</a></div><div><a href="#"></a></div><div><a href="#system-security-plan-has-import-profile">system-security-plan-has-import-profile</a></div><div><a href="#"></a></div><div><a href="#import-profile-has-href-attribute">import-profile-has-href-attribute</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status">implemented-requirement-has-implementation-status</a></div><div><a href="#implemented-requirement-has-planned-completion-date">implemented-requirement-has-planned-completion-date</a></div><div><a href="#implemented-requirement-has-control-origination">implemented-requirement-has-control-origination</a></div><div><a href="#implemented-requirement-has-allowed-control-origination">implemented-requirement-has-allowed-control-origination</a></div><div><a href="#implemented-requirement-has-leveraged-authorization">implemented-requirement-has-leveraged-authorization</a></div><div><a href="#"></a></div><div><a href="#implemented-requirement-has-implementation-status-remarks">implemented-requirement-has-implementation-status-remarks</a></div><div><a href="#"></a></div><div><a href="#planned-completion-date-is-valid">planned-completion-date-is-valid</a></div><div><a href="#planned-completion-date-is-not-past">planned-completion-date-is-not-past</a></div></details></td></tr></tbody></table><h2>Schematron Assertion Messages</h2><p>The following table shows affirmative (👍) messages and negative (👎), or diagnostic, messages for each Schematron | |
| assertion.</p><p>Messages are predominantly simple English prose statements. Some messages employ substitutions which are replaced when validation | |
| occurs and are highlighted thus: <span class="substitution"><sch:value-of select="current()/@media-type"/></span>.</p><table><thead><tr><th>Assertion ID</th><th>Schematron Messages</th></tr></thead><tbody><tr><td>no-registry-values</td><td><div>👍 <span class="assertion">The validation technical components are present.</span></div><div>👎 <span class="diagnostic">The validation technical components at the path '<span class="substitution"><sch:value-of select="$registry-base-path"/></span>' are not present, this configuration is invalid.</span></div></td></tr><tr><td>no-security-sensitivity-level</td><td><div>👍 <span class="assertion">[Section C Check 1.a] A FedRAMP SSP must define its sensitivity level.</span></div><div>👎 <span class="diagnostic">No sensitivity level was found As a result, no more validation processing can | |
| occur.</span></div></td></tr><tr><td>invalid-security-sensitivity-level</td><td><div>👍 <span class="assertion">[Section C Check 1.a] A FedRAMP SSP must have an allowed sensitivity | |
| level.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="./name()"/></span> is an invalid value of '<span class="substitution"><sch:value-of select="lv:sensitivity-level(/)"/></span>', not an allowed value of <span class="substitution"><sch:value-of select="$corrections"/></span>. No more validation processing can occur.</span></div></td></tr><tr><td>implemented-response-points</td><td><div>👍 <span class="assertion">A FedRAMP SSP must implement a statement for each of the following lettered response points for required | |
| controls: <span class="substitution"><sch:value-of select="$implemented/@statement-id"/></span>.</span></div><div>👎 <span class="diagnostic"></span></div></td></tr><tr><td>each-required-control-report</td><td><div>👍 <span class="assertion">The following <span class="substitution"><sch:value-of select="count($required-controls)"/></span><span class="substitution"><sch:value-of select=" if (count($required-controls) = 1) then ' control' else ' controls'"/></span> are required: <span class="substitution"><sch:value-of select="$required-controls/@id"/></span>.</span></div><div>👎 <span class="diagnostic"></span></div></td></tr><tr><td>incomplete-core-implemented-requirements</td><td><div>👍 <span class="assertion">[Section C Check 3] A FedRAMP SSP must implement the most important controls.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP must implement the most important <span class="substitution"><sch:value-of select="count($core-missing)"/></span> core <span class="substitution"><sch:value-of select=" if (count($core-missing) = 1) then ' control' else ' controls'"/></span>: <span class="substitution"><sch:value-of select="$core-missing/@id"/></span>.</span></div></td></tr><tr><td>incomplete-all-implemented-requirements</td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must implement all required controls.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP must implement <span class="substitution"><sch:value-of select="count($all-missing)"/></span><span class="substitution"><sch:value-of select=" if (count($all-missing) = 1) then ' control' else ' controls'"/></span> overall: <span class="substitution"><sch:value-of select="$all-missing/@id"/></span>.</span></div></td></tr><tr><td>extraneous-implemented-requirements</td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must not include implemented controls beyond what is required for | |
| the applied baseline.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP must implement <span class="substitution"><sch:value-of select="count($extraneous)"/></span> extraneous <span class="substitution"><sch:value-of select=" if (count($extraneous) = 1) then ' control' else ' controls'"/></span> not needed given the selected profile: <span class="substitution"><sch:value-of select="$extraneous/@control-id"/></span>.</span></div></td></tr><tr><td>control-implemented-requirements-stats</td><td><div>👍 <span class="assertion"><span class="substitution"><sch:value-of select="$results => lv:report() => normalize-space()"/></span>.</span></div><div>👎 <span class="diagnostic"></span></div></td></tr><tr><td>invalid-implementation-status</td><td><div>👍 <span class="assertion">[Section C Check 2] Implementation status is correct.</span></div><div>👎 <span class="diagnostic">Invalid implementation status '<span class="substitution"><sch:value-of select="$status"/></span>' for <span class="substitution"><sch:value-of select="./@control-id"/></span>, must be <span class="substitution"><sch:value-of select="$corrections"/></span>.</span></div></td></tr><tr><td>missing-response-points</td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must have required response points.</span></div><div>👎 <span class="diagnostic">This FedRAMP SSP lacks a statement for each of the following lettered response points for required | |
| controls: <span class="substitution"><sch:value-of select="$missing/@id"/></span>.</span></div></td></tr><tr><td>missing-response-components</td><td><div>👍 <span class="assertion">[Section D Checks] Response statements have sufficient | |
| components.</span></div><div>👎 <span class="diagnostic">Response statements for <span class="substitution"><sch:value-of select="./@statement-id"/></span> must have at least <span class="substitution"><sch:value-of select="$required-components-count"/></span><span class="substitution"><sch:value-of select=" if (count($components-count) = 1) then ' component' else ' components'"/></span> with a description. There are <span class="substitution"><sch:value-of select="$components-count"/></span>.</span></div></td></tr><tr><td>extraneous-response-description</td><td><div>👍 <span class="assertion">[Section D Checks] Response statement does not have a description not within a component.</span></div><div>👎 <span class="diagnostic">Response statement <span class="substitution"><sch:value-of select="../@statement-id"/></span> has a description not within a component. That was previously allowed, but not recommended. It will soon | |
| be syntactically invalid and deprecated.</span></div></td></tr><tr><td>extraneous-response-remarks</td><td><div>👍 <span class="assertion">[Section D Checks] Response statement does not have remarks not within a component.</span></div><div>👎 <span class="diagnostic">Response statement <span class="substitution"><sch:value-of select="../@statement-id"/></span> has remarks not within a component. That was previously allowed, but not recommended. It will soon be | |
| syntactically invalid and deprecated.</span></div></td></tr><tr><td>invalid-component-match</td><td><div>👍 <span class="assertion">[Section D Checks] Response | |
| statement cites a component in the system implementation inventory.</span></div><div>👎 <span class="diagnostic">Response statement <span class="substitution"><sch:value-of select="../@statement-id"/></span> with component reference UUID ' <span class="substitution"><sch:value-of select="$component-ref"/></span>' is not in the system implementation inventory, and cannot be used to define a control.</span></div></td></tr><tr><td>missing-component-description</td><td><div>👍 <span class="assertion">[Section D Checks] Response statement has a component which has a required | |
| description.</span></div><div>👎 <span class="diagnostic">Response statement <span class="substitution"><sch:value-of select="../@statement-id"/></span> has a component, but that component is missing a required description node.</span></div></td></tr><tr><td>incomplete-response-description</td><td><div>👍 <span class="assertion">[Section D Checks] Response statement component description has adequate | |
| length.</span></div><div>👎 <span class="diagnostic">Response statement component description for <span class="substitution"><sch:value-of select="../../@statement-id"/></span> is too short with <span class="substitution"><sch:value-of select="$description-length"/></span> characters. It must be <span class="substitution"><sch:value-of select="$required-length"/></span> characters long.</span></div></td></tr><tr><td>incomplete-response-remarks</td><td><div>👍 <span class="assertion">[Section D Checks] Response statement component remarks have adequate | |
| length.</span></div><div>👎 <span class="diagnostic">Response statement component remarks for <span class="substitution"><sch:value-of select="../../@statement-id"/></span> is too short with <span class="substitution"><sch:value-of select="$remarks-length"/></span> characters. It must be <span class="substitution"><sch:value-of select="$required-length"/></span> characters long.</span></div></td></tr><tr><td>incorrect-role-association</td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must define a responsible party with no extraneous | |
| roles.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP must define a responsible party with <span class="substitution"><sch:value-of select="count($extraneous-roles)"/></span><span class="substitution"><sch:value-of select=" if (count($extraneous-roles) = 1) then ' role' else ' roles'"/></span> not defined in the role: <span class="substitution"><sch:value-of select="$extraneous-roles/@role-id"/></span>.</span></div></td></tr><tr><td>incorrect-party-association</td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must define a responsible party with no extraneous | |
| parties.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP must define a responsible party with <span class="substitution"><sch:value-of select="count($extraneous-parties)"/></span><span class="substitution"><sch:value-of select=" if (count($extraneous-parties) = 1) then ' party' else ' parties'"/></span> is not a defined party: <span class="substitution"><sch:value-of select="$extraneous-parties/o:party-uuid"/></span>.</span></div></td></tr><tr><td>resource-uuid-required</td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation has a unique identifier.</span></div><div>👎 <span class="diagnostic">This FedRAMP SSP has a back-matter resource which lacks a UUID.</span></div></td></tr><tr><td>resource-base64-available-filename</td><td><div>👍 <span class="assertion">Every declared embedded attachment has a filename attribute.</span></div><div>👎 <span class="diagnostic">This base64 lacks a filename attribute.</span></div></td></tr><tr><td>resource-base64-available-media-type</td><td><div>👍 <span class="assertion">Every declared embedded attachment has a media type.</span></div><div>👎 <span class="diagnostic">This base64 lacks a media-type attribute.</span></div></td></tr><tr><td>resource-has-uuid</td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation must have a unique identifier.</span></div><div>👎 <span class="diagnostic">This resource lacks a uuid attribute.</span></div></td></tr><tr><td>resource-has-title</td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation should have a title.</span></div><div>👎 <span class="diagnostic">This resource lacks a title.</span></div></td></tr><tr><td>resource-has-rlink</td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation must have a rlink element.</span></div><div>👎 <span class="diagnostic">This resource lacks a rlink element.</span></div></td></tr><tr><td>resource-is-referenced</td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation should be | |
| referenced from within the document.</span></div><div>👎 <span class="diagnostic">This resource lacks a reference within the document.</span></div></td></tr><tr><td>attachment-type-is-valid</td><td><div>👍 <span class="assertion">A supporting artifact found in a citation should have an allowed attachment type.</span></div><div>👎 <span class="diagnostic">Found unknown attachment type «<span class="substitution"><sch:value-of select="@value"/></span>» in <span class="substitution"><sch:value-of select=" if (parent::oscal:resource/oscal:title) then concat('"', parent::oscal:resource/oscal:title, '"') else 'untitled'"/></span> resource.</span></div></td></tr><tr><td>rlink-has-href</td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation rlink must have a reference.</span></div><div>👎 <span class="diagnostic">This rlink lacks an href attribute.</span></div></td></tr><tr><td>has-allowed-media-type</td><td><div>👍 <span class="assertion">A media-type attribute must have an allowed value.</span></div><div>👎 <span class="diagnostic">This <span class="substitution"><sch:value-of select="name(parent::node())"/></span> has a media-type="<span class="substitution"><sch:value-of select="current()/@media-type"/></span>" which is not in the list of allowed media types. Allowed media types are <span class="substitution"><sch:value-of select="string-join($media-types, ' ∨ ')"/></span>.</span></div></td></tr><tr><td>resource-has-base64</td><td><div>👍 <span class="assertion">A supporting artifact found in a citation should have an embedded attachment element.</span></div><div>👎 <span class="diagnostic">This resource lacks a base64 element.</span></div></td></tr><tr><td>resource-has-base64-cardinality</td><td><div>👍 <span class="assertion">A supporting artifact found in a citation must have only one embedded attachment element.</span></div><div>👎 <span class="diagnostic">This resource must not have more than one base64 element.</span></div></td></tr><tr><td>base64-has-filename</td><td><div>👍 <span class="assertion">Every embedded attachment element must have a filename attribute.</span></div><div>👎 <span class="diagnostic">This base64 must have a filename attribute.</span></div></td></tr><tr><td>base64-has-media-type</td><td><div>👍 <span class="assertion">Every embedded attachment element must have a media type.</span></div><div>👎 <span class="diagnostic">This base64 element lacks a media-type attribute.</span></div></td></tr><tr><td>base64-has-content</td><td><div>👍 <span class="assertion"> Every | |
| embedded attachment element must have content.</span></div><div>👎 <span class="diagnostic">This base64 element lacks content.</span></div></td></tr><tr><td>has-fedramp-acronyms</td><td><div>👍 <span class="assertion">A FedRAMP | |
| OSCAL SSP must have the FedRAMP Master Acronym and Glossary attached.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks the FedRAMP Master Acronym and Glossary.</span></div></td></tr><tr><td>has-fedramp-citations</td><td><div>👍 <span class="assertion"> [Section | |
| B Check 3.12] A FedRAMP SSP must have the FedRAMP Applicable Laws and Regulations attached.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks the FedRAMP Applicable Laws and Regulations.</span></div></td></tr><tr><td>has-fedramp-logo</td><td><div>👍 <span class="assertion">A FedRAMP OSCAL | |
| SSP must have the FedRAMP Logo attached.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks the FedRAMP Logo.</span></div></td></tr><tr><td>has-user-guide</td><td><div>👍 <span class="assertion">[Section B Check | |
| 3.2] A FedRAMP SSP must have a User Guide attached.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a User Guide.</span></div></td></tr><tr><td>has-rules-of-behavior</td><td><div>👍 <span class="assertion"> [Section | |
| B Check 3.5] A FedRAMP SSP must have Rules of Behavior.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Rules of Behavior.</span></div></td></tr><tr><td>has-information-system-contingency-plan</td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.6] A FedRAMP SSP must have a Contingency Plan attached.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Contingency Plan.</span></div></td></tr><tr><td>has-configuration-management-plan</td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.7] A FedRAMP SSP must have a Configuration Management Plan attached.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Configuration Management Plan.</span></div></td></tr><tr><td>has-incident-response-plan</td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.8] A FedRAMP SSP must have an Incident Response Plan attached.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an Incident Response Plan.</span></div></td></tr><tr><td>has-separation-of-duties-matrix</td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.11] A FedRAMP SSP must have a Separation of Duties Matrix attached.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Separation of Duties Matrix.</span></div></td></tr><tr><td>has-policy-link</td><td><div>👍 <span class="assertion">[Section B Check 3.1] A FedRAMP SSP must incorporate a policy | |
| document for each of the 17 NIST SP 800-54 Revision 4 control families.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="local-name()"/></span><span class="substitution"><sch:value-of select="@control-id"/></span> lacks policy reference(s) (via by-component link).</span></div></td></tr><tr><td>has-policy-attachment-resource</td><td><div>👍 <span class="assertion">[Section B | |
| Check 3.1] A FedRAMP SSP must incorporate a policy document for each of the 17 NIST SP 800-54 Revision 4 control | |
| families.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="local-name()"/></span><span class="substitution"><sch:value-of select="@control-id"/></span> lacks policy attachment resource(s) <span class="substitution"><sch:value-of select="string-join($policy-hrefs, ', ')"/></span>.</span></div></td></tr><tr><td>has-procedure-link</td><td><div>👍 <span class="assertion">[Section B Check 3.1] A FedRAMP SSP must incorporate a procedure | |
| document for each of the 17 NIST SP 800-54 Revision 4 control families.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="local-name()"/></span><span class="substitution"><sch:value-of select="@control-id"/></span> lacks procedure reference(s) (via by-component link).</span></div></td></tr><tr><td>has-procedure-attachment-resource</td><td><div>👍 <span class="assertion">[Section | |
| B Check 3.1] A FedRAMP SSP must incorporate a procedure document for each of the 17 NIST SP 800-54 Revision 4 control | |
| families.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="local-name()"/></span><span class="substitution"><sch:value-of select="@control-id"/></span> lacks procedure attachment resource(s) <span class="substitution"><sch:value-of select="string-join($procedure-hrefs, ', ')"/></span>.</span></div></td></tr><tr><td>has-reuse</td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.1] Policy and procedure documents must have unique per-control-family associations.</span></div><div>👎 <span class="diagnostic">A policy or procedure reference was incorrectly re-used.</span></div></td></tr><tr><td>has-privacy-poc-role</td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP SSP must incorporate | |
| a Privacy Point of Contact role.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Point of Contact role.</span></div></td></tr><tr><td>has-responsible-party-privacy-poc-role</td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP | |
| OSCAL SSP must declare a Privacy Point of Contact responsible party role reference.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Point of Contact responsible party role | |
| reference.</span></div></td></tr><tr><td>has-responsible-privacy-poc-party-uuid</td><td><div>👍 <span class="assertion">[Section B Check | |
| 3.4] A FedRAMP SSP must declare a Privacy Point of Contact responsible party role reference identifying the party by unique | |
| identifier.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Point of Contact responsible party role | |
| reference identifying the party by UUID.</span></div></td></tr><tr><td>has-privacy-poc</td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP SSP must define a | |
| Privacy Point of Contact.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Point of Contact.</span></div></td></tr><tr><td>has-correct-yes-or-no-answer</td><td><div>👍 <span class="assertion">[Section B Check 3.4] A Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) | |
| qualifying question must have an allowed answer.</span></div><div>👎 <span class="diagnostic">This property has an incorrect value: should be "yes" or "no".</span></div></td></tr><tr><td>has-privacy-sensitive-designation</td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP SSP must have a privacy-sensitive | |
| designation.</span></div><div>👎 <span class="diagnostic">The privacy-sensitive designation is missing.</span></div></td></tr><tr><td>has-pta-question-1</td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL | |
| SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #1.</span></div><div>👎 <span class="diagnostic">The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #1 is | |
| missing.</span></div></td></tr><tr><td>has-pta-question-2</td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL | |
| SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #2.</span></div><div>👎 <span class="diagnostic">The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #2 is | |
| missing.</span></div></td></tr><tr><td>has-pta-question-3</td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL | |
| SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #3.</span></div><div>👎 <span class="diagnostic">The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #3 is | |
| missing.</span></div></td></tr><tr><td>has-pta-question-4</td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL | |
| SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #4.</span></div><div>👎 <span class="diagnostic">The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #4 is | |
| missing.</span></div></td></tr><tr><td>has-all-pta-questions</td><td><div>👍 <span class="assertion">[Section | |
| B Check 3.4] A FedRAMP SSP must have all four PTA questions.</span></div><div>👎 <span class="diagnostic">One or more of the four PTA questions is missing.</span></div></td></tr><tr><td>has-correct-pta-question-cardinality</td><td><div>👍 <span class="assertion">[Section | |
| B Check 3.4] A FedRAMP SSP must have no duplicate PTA questions.</span></div><div>👎 <span class="diagnostic">One or more of the four PTA questions is a duplicate.</span></div></td></tr><tr><td>has-sorn</td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.4] A FedRAMP SSP may have a SORN ID.</span></div><div>👎 <span class="diagnostic">The SORN ID is missing.</span></div></td></tr><tr><td>has-pia</td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.4] This FedRAMP SSP must incorporate a Privacy Impact Analysis.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Impact Analysis.</span></div></td></tr><tr><td>has-CMVP-validation</td><td><div>👍 <span class="assertion">A FedRAMP SSP must incorporate one or more FIPS 140 validated modules.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP does not declare one or more FIPS 140 validated modules.</span></div></td></tr><tr><td>has-CMVP-validation-reference</td><td><div>👍 <span class="assertion">Every FIPS 140 validation citation must have a validation reference.</span></div><div>👎 <span class="diagnostic">This validation component or inventory-item lacks a validation-reference | |
| property.</span></div></td></tr><tr><td>has-CMVP-validation-details</td><td><div>👍 <span class="assertion">Every FIPS 140 validation citation must have validation details.</span></div><div>👎 <span class="diagnostic">This validation component or inventory-item lacks a validation-details link.</span></div></td></tr><tr><td>has-credible-CMVP-validation-reference</td><td><div>👍 <span class="assertion">A validation reference must provide a NIST Cryptographic Module Validation Program (CMVP) | |
| certificate number.</span></div><div>👎 <span class="diagnostic">This validation-reference property does not resemble a CMVP certificate | |
| number.</span></div></td></tr><tr><td>has-consonant-CMVP-validation-reference</td><td><div>👍 <span class="assertion">A validation reference must be | |
| in accord with its sibling validation details.</span></div><div>👎 <span class="diagnostic">This validation-reference property does not match its sibling validation-details | |
| href.</span></div></td></tr><tr><td>has-credible-CMVP-validation-details</td><td><div>👍 <span class="assertion">A validation | |
| details must refer to a NIST Cryptographic Module Validation Program (CMVP) certificate detail page.</span></div><div>👎 <span class="diagnostic">This validation-details link href attribute does not resemble a CMVP certificate | |
| URL.</span></div></td></tr><tr><td>has-consonant-CMVP-validation-details</td><td><div>👍 <span class="assertion">A validation details link | |
| must be in accord with its sibling validation reference.</span></div><div>👎 <span class="diagnostic">This validation-details link href attribute does not match its sibling | |
| validation-reference value.</span></div></td></tr><tr><td>has-security-sensitivity-level</td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify a FIPS 199 categorization.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a FIPS 199 categorization.</span></div></td></tr><tr><td>has-security-impact-level</td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify a security impact level.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a security impact level.</span></div></td></tr><tr><td>has-allowed-security-sensitivity-level</td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify an allowed security sensitivity | |
| level.</span></div><div>👎 <span class="diagnostic">Invalid security-sensitivity-level "<span class="substitution"><sch:value-of select="."/></span>". It must have one of the following <span class="substitution"><sch:value-of select="count($security-sensitivity-levels)"/></span> values: <span class="substitution"><sch:value-of select="string-join($security-sensitivity-levels, ' ∨ ')"/></span>.</span></div></td></tr><tr><td>has-security-objective-confidentiality</td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify a confidentiality security | |
| objective.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a confidentiality security objective.</span></div></td></tr><tr><td>has-security-objective-integrity</td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify an integrity security | |
| objective.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an integrity security objective.</span></div></td></tr><tr><td>has-security-objective-availability</td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify an availability security | |
| objective.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an availability security objective.</span></div></td></tr><tr><td>has-allowed-security-objective-value</td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify an allowed security objective | |
| value.</span></div><div>👎 <span class="diagnostic">Invalid "<span class="substitution"><sch:value-of select="name()"/></span>" <span class="substitution"><sch:value-of select="."/></span>". It must have one of the following <span class="substitution"><sch:value-of select="count($security-objective-levels)"/></span> values: <span class="substitution"><sch:value-of select="string-join($security-objective-levels, ' ∨ ')"/></span>.</span></div></td></tr><tr><td>system-information-has-information-type</td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify at least one information type.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP lacks at least one information-type.</span></div></td></tr><tr><td>information-type-has-title</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have a title.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type lacks a title.</span></div></td></tr><tr><td>information-type-has-description</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have a description.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type lacks a description.</span></div></td></tr><tr><td>information-type-has-categorization</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have at least one categorization.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type lacks at least one | |
| categorization.</span></div></td></tr><tr><td>information-type-has-confidentiality-impact</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have a confidentiality impact.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type lacks a | |
| confidentiality-impact.</span></div></td></tr><tr><td>information-type-has-integrity-impact</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have an integrity impact.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type lacks a integrity-impact.</span></div></td></tr><tr><td>information-type-has-availability-impact</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have an availability impact.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type lacks a | |
| availability-impact.</span></div></td></tr><tr><td>categorization-has-system-attribute</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type categorization must have a system attribute.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type categorization lacks a system | |
| attribute.</span></div></td></tr><tr><td>categorization-has-correct-system-attribute</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type categorization must have a correct system | |
| attribute.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type categorization lacks a correct system | |
| attribute. The correct value is "https://doi.org/10.6028/NIST.SP.800-60v2r1".</span></div></td></tr><tr><td>categorization-has-information-type-id</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type categorization must have at least one information type | |
| identifier.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type categorization lacks at least one | |
| information-type-id.</span></div></td></tr><tr><td>has-allowed-information-type-id</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type identifier must be chosen from those found in NIST SP | |
| 800-60v2r1.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type-id lacks a SP 800-60v2r1 identifier.</span></div></td></tr><tr><td>cia-impact-has-base</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type confidentiality, integrity, or availability impact must specify the base | |
| impact.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact lacks a base | |
| element.</span></div></td></tr><tr><td>cia-impact-has-selected</td><td><div>👍 <span class="assertion">A FedRAMP SSP information type confidentiality, integrity, or availability impact must the selected | |
| impact.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact lacks a | |
| selected element.</span></div></td></tr><tr><td>cia-impact-has-approved-fips-categorization</td><td><div>👍 <span class="assertion">A FedRAMP SSP must indicate for its information system the appropriate categorization for the respective | |
| confidentiality, integrity, impact levels of its information types (per FIPS-199).</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or | |
| availability-impact base or select element lacks an approved value.</span></div></td></tr><tr><td>has-security-eauth-level</td><td><div>👍 <span class="assertion"> [Section B | |
| Check 3.3, Section C Check 7] A FedRAMP SSP must have a Digital Identity Determination property.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Digital Identity Determination property.</span></div></td></tr><tr><td>has-identity-assurance-level</td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP may have a Digital | |
| Identity Determination identity assurance level property.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP may lack a Digital Identity Determination identity-assurance-level | |
| property.</span></div></td></tr><tr><td>has-authenticator-assurance-level</td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP may have a Digital | |
| Identity Determination authenticator assurance level property.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP may lack a Digital Identity Determination | |
| authenticator-assurance-level property.</span></div></td></tr><tr><td>has-federation-assurance-level</td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP may have a Digital | |
| Identity Determination federation assurance level property.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP may lack a Digital Identity Determination federation-assurance-level | |
| property.</span></div></td></tr><tr><td>has-allowed-security-eauth-level</td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP must have a Digital Identity Determination | |
| property with an allowed value.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a Digital Identity Determination property with an allowed | |
| value.</span></div></td></tr><tr><td>has-allowed-identity-assurance-level</td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP should have an allowed Digital | |
| Identity Determination identity assurance level.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP may lack an allowed Digital Identity Determination | |
| identity-assurance-level property.</span></div></td></tr><tr><td>has-allowed-authenticator-assurance-level</td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP should have an allowed Digital | |
| Identity Determination authenticator assurance level.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP may lack an allowed Digital Identity Determination | |
| authenticator-assurance-level property.</span></div></td></tr><tr><td>has-allowed-federation-assurance-level</td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP should have an allowed Digital | |
| Identity Determination federation assurance level.</span></div><div>👎 <span class="diagnostic">A FedRAMP OSCAL SSP may lack an allowed Digital Identity Determination | |
| federation-assurance-level property.</span></div></td></tr><tr><td>has-inventory-items</td><td><div>👍 <span class="assertion">A FedRAMP SSP must incorporate inventory items.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks inventory-item elements.</span></div></td></tr><tr><td>has-unique-asset-id</td><td><div>👍 <span class="assertion">Every asset identifier must be unique.</span></div><div>👎 <span class="diagnostic">This asset id <span class="substitution"><sch:value-of select="@asset-id"/></span> is not unique. An asset id must be unique within the scope of a FedRAMP OSCAL SSP document.</span></div></td></tr><tr><td>has-allowed-asset-type</td><td><div>👍 <span class="assertion">An asset type must have an allowed value.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> should have a FedRAMP asset type <span class="substitution"><sch:value-of select="string-join($asset-types, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div></td></tr><tr><td>has-allowed-virtual</td><td><div>👍 <span class="assertion">A virtual property must have an allowed value.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($virtuals, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div></td></tr><tr><td>has-allowed-public</td><td><div>👍 <span class="assertion">A public property must have an allowed value.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($publics, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div></td></tr><tr><td>has-allowed-allows-authenticated-scan</td><td><div>👍 <span class="assertion">An allows-authenticated-scan property has an allowed value.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($allows-authenticated-scans, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div></td></tr><tr><td>has-allowed-is-scanned</td><td><div>👍 <span class="assertion">is-scanned property must have an allowed value.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($is-scanneds, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div></td></tr><tr><td>has-allowed-scan-type</td><td><div>👍 <span class="assertion">A scan-type property must have an allowed value.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($scan-types, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div></td></tr><tr><td>component-has-allowed-type</td><td><div>👍 <span class="assertion">A component must have an allowed type.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed component type <span class="substitution"><sch:value-of select="string-join($component-types, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@type"/></span>").</span></div></td></tr><tr><td>component-has-asset-type</td><td><div>👍 <span class="assertion">A component must have an asset type.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> lacks an asset-type property.</span></div></td></tr><tr><td>component-has-one-asset-type</td><td><div>👍 <span class="assertion">A component must have only one asset type.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> has more than one asset-type property.</span></div></td></tr><tr><td>inventory-item-has-uuid</td><td><div>👍 <span class="assertion">An inventory item has a unique identifier.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks a uuid attribute.</span></div></td></tr><tr><td>has-asset-id</td><td><div>👍 <span class="assertion">An inventory item must have an asset identifier.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks an asset-id property.</span></div></td></tr><tr><td>has-one-asset-id</td><td><div>👍 <span class="assertion">An inventory item must have only one asset identifier.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one asset-id property.</span></div></td></tr><tr><td>inventory-item-has-asset-type</td><td><div>👍 <span class="assertion">An inventory item must have an asset-type.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks an asset-type property.</span></div></td></tr><tr><td>inventory-item-has-one-asset-type</td><td><div>👍 <span class="assertion">An inventory item must have only one asset-type.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one asset-type property.</span></div></td></tr><tr><td>inventory-item-has-virtual</td><td><div>👍 <span class="assertion">An inventory item must have a virtual property.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks a virtual property.</span></div></td></tr><tr><td>inventory-item-has-one-virtual</td><td><div>👍 <span class="assertion">An inventory item must have only one virtual property.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one virtual property.</span></div></td></tr><tr><td>inventory-item-has-public</td><td><div>👍 <span class="assertion">An inventory item must have a public property.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks a public property.</span></div></td></tr><tr><td>inventory-item-has-one-public</td><td><div>👍 <span class="assertion">An inventory item must have only one public property.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one public property.</span></div></td></tr><tr><td>inventory-item-has-scan-type</td><td><div>👍 <span class="assertion">An inventory item must have a scan-type property.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks a scan-type property.</span></div></td></tr><tr><td>inventory-item-has-one-scan-type</td><td><div>👍 <span class="assertion">An inventory item has only one scan-type property.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one scan-type property.</span></div></td></tr><tr><td>inventory-item-has-allows-authenticated-scan</td><td><div>👍 <span class="assertion">"infrastructure" inventory item has | |
| allows-authenticated-scan.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks allows-authenticated-scan | |
| property.</span></div></td></tr><tr><td>inventory-item-has-one-allows-authenticated-scan</td><td><div>👍 <span class="assertion">An inventory item has | |
| one-allows-authenticated-scan property.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one allows-authenticated-scan | |
| property.</span></div></td></tr><tr><td>inventory-item-has-baseline-configuration-name</td><td><div>👍 <span class="assertion">"infrastructure" inventory item has | |
| baseline-configuration-name.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks baseline-configuration-name | |
| property.</span></div></td></tr><tr><td>inventory-item-has-one-baseline-configuration-name</td><td><div>👍 <span class="assertion">"infrastructure" inventory item has only | |
| one baseline-configuration-name.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one baseline-configuration-name | |
| property.</span></div></td></tr><tr><td>inventory-item-has-vendor-name</td><td><div>👍 <span class="assertion"> "infrastructure" | |
| inventory item has a vendor-name property.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks a vendor-name property.</span></div></td></tr><tr><td>inventory-item-has-one-vendor-name</td><td><div>👍 <span class="assertion"> | |
| "infrastructure" inventory item must have only one vendor-name property.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one vendor-name property.</span></div></td></tr><tr><td>inventory-item-has-hardware-model</td><td><div>👍 <span class="assertion"> "infrastructure" | |
| inventory item must have a hardware-model property.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks a hardware-model property.</span></div></td></tr><tr><td>inventory-item-has-one-hardware-model</td><td><div>👍 <span class="assertion"> | |
| "infrastructure" inventory item must have only one hardware-model property.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one hardware-model property.</span></div></td></tr><tr><td>inventory-item-has-is-scanned</td><td><div>👍 <span class="assertion">"infrastructure" inventory item must have is-scanned | |
| property.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks is-scanned property.</span></div></td></tr><tr><td>inventory-item-has-one-is-scanned</td><td><div>👍 <span class="assertion">"infrastructure" inventory item must have only one | |
| is-scanned property.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one is-scanned property.</span></div></td></tr><tr><td>inventory-item-has-software-name</td><td><div>👍 <span class="assertion">"software or database" inventory item must have a | |
| software-name property.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks software-name property.</span></div></td></tr><tr><td>inventory-item-has-one-software-name</td><td><div>👍 <span class="assertion">"software or database" inventory item must have a | |
| software-name property.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one software-name property.</span></div></td></tr><tr><td>inventory-item-has-software-version</td><td><div>👍 <span class="assertion">"software or database" inventory item must have a | |
| software-version property.</span></div><div>👎 <span class="diagnostic">This inventory-item lacks software-version property.</span></div></td></tr><tr><td>inventory-item-has-one-software-version</td><td><div>👍 <span class="assertion">"software or database" inventory item must | |
| have one software-version property.</span></div><div>👎 <span class="diagnostic">This inventory-item has more than one software-version property.</span></div></td></tr><tr><td>inventory-item-has-function</td><td><div>👍 <span class="assertion">"software or database" inventory item must have a function | |
| property.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> "<span class="substitution"><sch:value-of select="oscal:prop[@name = 'asset-type']/@value"/></span>" lacks function property.</span></div></td></tr><tr><td>inventory-item-has-one-function</td><td><div>👍 <span class="assertion">"software or database" inventory item must have one | |
| function property.</span></div><div>👎 <span class="diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> "<span class="substitution"><sch:value-of select="oscal:prop[@name = 'asset-type']/@value"/></span>" has more than one function property.</span></div></td></tr><tr><td>has-this-system-component</td><td><div>👍 <span class="assertion">A FedRAMP SSP must have a self-referential (i.e., to the SSP itself) | |
| component.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a "this-system" component.</span></div></td></tr><tr><td>has-system-id</td><td><div>👍 <span class="assertion">A FedRAMP SSP must have a FedRAMP system identifier.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a FedRAMP system-id.</span></div></td></tr><tr><td>has-system-name</td><td><div>👍 <span class="assertion">A FedRAMP SSP must have a system name.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a system-name.</span></div></td></tr><tr><td>has-system-name-short</td><td><div>👍 <span class="assertion">A FedRAMP SSP must have a short system name.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a system-name-short.</span></div></td></tr><tr><td>has-fedramp-authorization-type</td><td><div>👍 <span class="assertion"> | |
| A FedRAMP SSP must have a FedRAMP authorization type.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks a FedRAMP authorization type.</span></div></td></tr><tr><td>role-defined-system-owner</td><td><div>👍 <span class="assertion">The System Owner role must be defined.</span></div><div>👎 <span class="diagnostic">The system-owner role is missing.</span></div></td></tr><tr><td>role-defined-authorizing-official</td><td><div>👍 <span class="assertion">The Authorizing Official role must be defined.</span></div><div>👎 <span class="diagnostic">The authorizing-official role is missing.</span></div></td></tr><tr><td>role-defined-system-poc-management</td><td><div>👍 <span class="assertion">The System Management PoC role must be defined.</span></div><div>👎 <span class="diagnostic">The system-poc-management role is missing.</span></div></td></tr><tr><td>role-defined-system-poc-technical</td><td><div>👍 <span class="assertion">The System Technical PoC role must be defined.</span></div><div>👎 <span class="diagnostic">The system-poc-technical role is missing.</span></div></td></tr><tr><td>role-defined-system-poc-other</td><td><div>👍 <span class="assertion">The System Other PoC role must be defined.</span></div><div>👎 <span class="diagnostic">The system-poc-other role is missing.</span></div></td></tr><tr><td>role-defined-information-system-security-officer</td><td><div>👍 <span class="assertion">The Information System Security Officer role must be | |
| defined.</span></div><div>👎 <span class="diagnostic">The information-system-security-officer role is missing.</span></div></td></tr><tr><td>role-defined-authorizing-official-poc</td><td><div>👍 <span class="assertion">The Authorizing Official PoC role must be defined.</span></div><div>👎 <span class="diagnostic">The authorizing-official-poc role is missing.</span></div></td></tr><tr><td>role-has-title</td><td><div>👍 <span class="assertion">A role must have a title.</span></div><div>👎 <span class="diagnostic">This role lacks a title.</span></div></td></tr><tr><td>role-has-responsible-party</td><td><div>👍 <span class="assertion">One or more responsible parties must be defined for each role.</span></div><div>👎 <span class="diagnostic">This role has no responsible parties.</span></div></td></tr><tr><td>responsible-party-has-person</td><td><div>👍 <span class="assertion">Each responsible party must identify a person using that | |
| person's unique identifier.</span></div><div>👎 <span class="diagnostic">This responsible-party party-uuid does not identify a person.</span></div></td></tr><tr><td>party-has-responsibility</td><td><div>👍 <span class="assertion">Each person should have a responsibility.</span></div><div>👎 <span class="diagnostic">This person has no responsibility.</span></div></td></tr><tr><td>implemented-requirement-has-responsible-role</td><td><div>👍 <span class="assertion">Each implemented control must have one or more responsible-role definitions.</span></div><div>👎 <span class="diagnostic">This implemented-requirement lacks a responsible-role | |
| definition.</span></div></td></tr><tr><td>responsible-role-has-role-definition</td><td><div>👍 <span class="assertion">Each responsible-role must reference a role definition.</span></div><div>👎 <span class="diagnostic">This responsible-role references a non-existent role definition.</span></div></td></tr><tr><td>responsible-role-has-user</td><td><div>👍 <span class="assertion">Each responsible-role must be referenced in a system-implementation user | |
| assembly.</span></div><div>👎 <span class="diagnostic">This responsible-role lacks a system-implementation user assembly.</span></div></td></tr><tr><td>user-has-role-id</td><td><div>👍 <span class="assertion">Every user has a role identifier.</span></div><div>👎 <span class="diagnostic">This user lacks a role-id.</span></div></td></tr><tr><td>user-has-user-type</td><td><div>👍 <span class="assertion">Every user has a user type.</span></div><div>👎 <span class="diagnostic">This user lacks a user type property.</span></div></td></tr><tr><td>user-has-privilege-level</td><td><div>👍 <span class="assertion">Every user has a privilege-level.</span></div><div>👎 <span class="diagnostic">This user lacks a privilege-level property.</span></div></td></tr><tr><td>user-has-sensitivity-level</td><td><div>👍 <span class="assertion">Every user has a sensitivity level.</span></div><div>👎 <span class="diagnostic">This user lacks a sensitivity level property.</span></div></td></tr><tr><td>user-has-authorized-privilege</td><td><div>👍 <span class="assertion">Every user has one or more authorized privileges.</span></div><div>👎 <span class="diagnostic">This user lacks one or more authorized-privileges.</span></div></td></tr><tr><td>role-id-has-role-definition</td><td><div>👍 <span class="assertion">Each identified role must reference a role definition.</span></div><div>👎 <span class="diagnostic">This role-id references a non-existent role definition.</span></div></td></tr><tr><td>user-user-type-has-allowed-value</td><td><div>👍 <span class="assertion">User type property has an allowed value.</span></div><div>👎 <span class="diagnostic">This user type property lacks an allowed value.</span></div></td></tr><tr><td>user-privilege-level-has-allowed-value</td><td><div>👍 <span class="assertion">User privilege level has an allowed value.</span></div><div>👎 <span class="diagnostic">User privilege-level property has an allowed value.</span></div></td></tr><tr><td>user-sensitivity-level-has-allowed-value</td><td><div>👍 <span class="assertion">User sensitivity level has an allowed value.</span></div><div>👎 <span class="diagnostic">This user sensitivity level property lacks an allowed value.</span></div></td></tr><tr><td>authorized-privilege-has-title</td><td><div>👍 <span class="assertion">Every authorized privilege has a title.</span></div><div>👎 <span class="diagnostic">This authorized-privilege lacks a title.</span></div></td></tr><tr><td>authorized-privilege-has-function-performed</td><td><div>👍 <span class="assertion">Every authorized privilege is associated with one or more functions performed.</span></div><div>👎 <span class="diagnostic">This authorized-privilege lacks one or more | |
| function-performed.</span></div></td></tr><tr><td>authorized-privilege-has-non-empty-title</td><td><div>👍 <span class="assertion">Every authorized privilege title is not empty.</span></div><div>👎 <span class="diagnostic">This authorized-privilege title is empty.</span></div></td></tr><tr><td>authorized-privilege-has-non-empty-function-performed</td><td><div>👍 <span class="assertion">Every authorized privilege function performed has a definition.</span></div><div>👎 <span class="diagnostic">This authorized-privilege lacks a non-empty | |
| function-performed.</span></div></td></tr><tr><td>has-authorization-boundary</td><td><div>👍 <span class="assertion">A FedRAMP SSP includes an authorization boundary.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an authorization-boundary in its | |
| system-characteristics.</span></div></td></tr><tr><td>has-authorization-boundary-description</td><td><div>👍 <span class="assertion">A FedRAMP SSP has an authorization boundary description.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an authorization-boundary | |
| description.</span></div></td></tr><tr><td>has-authorization-boundary-diagram</td><td><div>👍 <span class="assertion">A FedRAMP SSP has at least one authorization boundary diagram.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks at least one authorization-boundary | |
| diagram.</span></div></td></tr><tr><td>has-authorization-boundary-diagram-uuid</td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a unique identifier.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a uuid | |
| attribute.</span></div></td></tr><tr><td>has-authorization-boundary-diagram-description</td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a description.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a | |
| description.</span></div></td></tr><tr><td>has-authorization-boundary-diagram-link</td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a link.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a | |
| link.</span></div></td></tr><tr><td>has-authorization-boundary-diagram-caption</td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a caption.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a | |
| caption.</span></div></td></tr><tr><td>has-authorization-boundary-diagram-link-rel</td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a link rel attribute.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a link rel | |
| attribute.</span></div></td></tr><tr><td>has-authorization-boundary-diagram-link-rel-allowed-value</td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a link rel attribute with the value | |
| "diagram".</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a | |
| link rel attribute with the value "diagram".</span></div></td></tr><tr><td>has-authorization-boundary-diagram-link-href-target</td><td><div>👍 <span class="assertion">A FedRAMP SSP authorization boundary diagram link | |
| references a back-matter resource representing the diagram document.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram link does not | |
| reference a back-matter resource representing the diagram document.</span></div></td></tr><tr><td>has-network-architecture</td><td><div>👍 <span class="assertion">A FedRAMP SSP includes a network architecture diagram.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an network-architecture in its | |
| system-characteristics.</span></div></td></tr><tr><td>has-network-architecture-description</td><td><div>👍 <span class="assertion">A FedRAMP SSP has a network architecture description.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an network-architecture description.</span></div></td></tr><tr><td>has-network-architecture-diagram</td><td><div>👍 <span class="assertion">A FedRAMP SSP has at least one network architecture diagram.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks at least one network-architecture diagram.</span></div></td></tr><tr><td>has-network-architecture-diagram-uuid</td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a unique identifier.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a uuid | |
| attribute.</span></div></td></tr><tr><td>has-network-architecture-diagram-description</td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a description.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a | |
| description.</span></div></td></tr><tr><td>has-network-architecture-diagram-link</td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a link.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a link.</span></div></td></tr><tr><td>has-network-architecture-diagram-caption</td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a caption.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a | |
| caption.</span></div></td></tr><tr><td>has-network-architecture-diagram-link-rel</td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a link rel attribute.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a link rel | |
| attribute.</span></div></td></tr><tr><td>has-network-architecture-diagram-link-rel-allowed-value</td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a link rel attribute with the value "diagram".</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a link | |
| rel attribute with the value "diagram".</span></div></td></tr><tr><td>has-network-architecture-diagram-link-href-target</td><td><div>👍 <span class="assertion">A FedRAMP SSP network architecture diagram link | |
| references a back-matter resource representing the diagram document.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP network-architecture diagram link does not | |
| reference a back-matter resource representing the diagram document.</span></div></td></tr><tr><td>has-data-flow</td><td><div>👍 <span class="assertion">A FedRAMP SSP includes a data flow diagram.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an data-flow in its system-characteristics.</span></div></td></tr><tr><td>has-data-flow-description</td><td><div>👍 <span class="assertion">A FedRAMP SSP has a data flow description.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an data-flow description.</span></div></td></tr><tr><td>has-data-flow-diagram</td><td><div>👍 <span class="assertion">A FedRAMP SSP has at least one data flow diagram.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks at least one data-flow diagram.</span></div></td></tr><tr><td>has-data-flow-diagram-uuid</td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a unique identifier.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a uuid attribute.</span></div></td></tr><tr><td>has-data-flow-diagram-description</td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a description.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a description.</span></div></td></tr><tr><td>has-data-flow-diagram-link</td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a link.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a link.</span></div></td></tr><tr><td>has-data-flow-diagram-caption</td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a caption.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a caption.</span></div></td></tr><tr><td>has-data-flow-diagram-link-rel</td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a link rel attribute.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a link rel attribute.</span></div></td></tr><tr><td>has-data-flow-diagram-link-rel-allowed-value</td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a link rel attribute with the value "diagram".</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a link rel attribute with the | |
| value "diagram".</span></div></td></tr><tr><td>has-data-flow-diagram-link-href-target</td><td><div>👍 <span class="assertion">A FedRAMP SSP data flow diagram link references a | |
| back-matter resource representing the diagram document.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP data-flow diagram link does not reference a back-matter | |
| resource representing the diagram document.</span></div></td></tr><tr><td>system-security-plan-has-import-profile</td><td><div>👍 <span class="assertion">A FedRAMP SSP declares the related FedRAMP OSCAL Profile using an import-profile | |
| element.</span></div><div>👎 <span class="diagnostic">This FedRAMP OSCAL SSP lacks an import-profile element.</span></div></td></tr><tr><td>import-profile-has-href-attribute</td><td><div>👍 <span class="assertion">The import-profile element has a reference.</span></div><div>👎 <span class="diagnostic">The import-profile element lacks an href attribute.</span></div></td></tr><tr><td>implemented-requirement-has-implementation-status</td><td><div>👍 <span class="assertion">Every implemented requirement | |
| has an implementation-status property.</span></div><div>👎 <span class="diagnostic">This implemented-requirement lacks an | |
| implementation-status.</span></div></td></tr><tr><td>implemented-requirement-has-planned-completion-date</td><td><div>👍 <span class="assertion">Planned control implementations have a planned completion date.</span></div><div>👎 <span class="diagnostic">This planned control implementations lacks a planned completion | |
| date.</span></div></td></tr><tr><td>implemented-requirement-has-control-origination</td><td><div>👍 <span class="assertion">Every implemented requirement has a | |
| control origin.</span></div><div>👎 <span class="diagnostic">This implemented-requirement lacks a control-origination | |
| property.</span></div></td></tr><tr><td>implemented-requirement-has-allowed-control-origination</td><td><div>👍 <span class="assertion"> Every | |
| implemented requirement has an allowed control origin.</span></div><div>👎 <span class="diagnostic">This implemented-requirement lacks an allowed control-origination | |
| property.</span></div></td></tr><tr><td>implemented-requirement-has-leveraged-authorization</td><td><div>👍 <span class="assertion">Every implemented requirement with a control origin of "inherited" references a leveraged | |
| authorization.</span></div><div>👎 <span class="diagnostic">This implemented-requirement with a control-origination property of | |
| "inherited" does not reference a leveraged-authorization element in the same document.</span></div></td></tr><tr><td>implemented-requirement-has-implementation-status-remarks</td><td><div>👍 <span class="assertion">Incomplete control implementations have an explanation.</span></div><div>👎 <span class="diagnostic">This incomplete control implementation lacks an | |
| explanation.</span></div></td></tr><tr><td>planned-completion-date-is-valid</td><td><div>👍 <span class="assertion">Planned completion date is valid.</span></div><div>👎 <span class="diagnostic">This planned completion date is not valid.</span></div></td></tr><tr><td>planned-completion-date-is-not-past</td><td><div>👍 <span class="assertion">Planned completion date is not past.</span></div><div>👎 <span class="diagnostic">This planned completion date references a past time.</span></div></td></tr><tr><td>has-cloud-service-model</td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify a cloud service model.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP must specify a cloud service model.</span></div></td></tr><tr><td>has-allowed-cloud-service-model</td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify an allowed cloud service | |
| model.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP must specify an allowed cloud service model.</span></div></td></tr><tr><td>has-cloud-service-model-remarks</td><td><div>👍 <span class="assertion">A FedRAMP SSP with a cloud service model of "other" must supply remarks.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP with a cloud service model of "other" must supply remarks.</span></div></td></tr><tr><td>has-cloud-deployment-model</td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify a cloud deployment model.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP must specify a cloud deployment model.</span></div></td></tr><tr><td>has-allowed-cloud-deployment-model</td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify an allowed cloud | |
| deployment model.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP must specify an allowed cloud deployment model.</span></div></td></tr><tr><td>has-cloud-deployment-model-remarks</td><td><div>👍 <span class="assertion">A FedRAMP SSP with a cloud deployment model of "hybrid-cloud" must supply remarks.</span></div><div>👎 <span class="diagnostic">A FedRAMP SSP with a cloud deployment model of "hybrid-cloud" must supply | |
| remarks.</span></div></td></tr><tr><td>has-public-cloud-deployment-model</td><td><div>👍 <span class="assertion">When a FedRAMP SSP has public components or inventory items, a cloud deployment model of "public-cloud" must be | |
| employed.</span></div><div>👎 <span class="diagnostic">When a FedRAMP SSP has public components or inventory items, a cloud deployment model of | |
| "public-cloud" must be employed.</span></div></td></tr></tbody></table><h2>Assertions</h2><p>The following table lists Schematron <code>assert</code> and <code>report</code> elements with the Schematron ID, assertion | |
| (affirmative statement), diagnostic (negative statement used when the assertion was false), and related attributes. Each of these | |
| is subordinate to a context defined in a parent Schematron <code>rule</code> element.</p><table><caption><div>List of assertions</div><p>There are 216 Schematron assertions as of this update</p></caption><colgroup><col style="width:15%;"><col></colgroup><thead><tr><th>ID</th><th>Statement</th></tr></thead><tbody><tr><td><div id="no-registry-values">no-registry-values</div></td><td><div>👍 <span class="assertion">The validation technical components are present.</span></div><div>👎 <span class="diagnostic" title="no-registry-values-diagnostic">The validation technical components at the path '<span class="substitution"><sch:value-of select="$registry-base-path"/></span>' are not present, this configuration is invalid.</span></div><div>context: <code>/o:system-security-plan</code></div><div>test: <code>count($registry/f:fedramp-values/f:value-set) > 0</code></div><div>role: <code>fatal</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td><div id="no-security-sensitivity-level">no-security-sensitivity-level</div></td><td><div>👍 <span class="assertion">[Section C Check 1.a] A FedRAMP SSP must define its sensitivity level.</span></div><div>👎 <span class="diagnostic" title="no-security-sensitivity-level-diagnostic">No sensitivity level was found As a result, no more validation processing can | |
| occur.</span></div><div>context: <code>/o:system-security-plan</code></div><div>test: <code>$sensitivity-level != ''</code></div><div>role: <code>fatal</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 2.1 ➔ when the security sensitivity level ➔ is not defined at all ➔ it is invalid.</div><div>FedRAMP checklist-reference: Section C Check 1.a</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.2</div><div>FedRAMP template-reference: System Security Plan Template §2.2</div></td></tr><tr><td><div id="invalid-security-sensitivity-level">invalid-security-sensitivity-level</div></td><td><div>👍 <span class="assertion">[Section C Check 1.a] A FedRAMP SSP must have an allowed sensitivity | |
| level.</span></div><div>👎 <span class="diagnostic" title="invalid-security-sensitivity-level-diagnostic"><span class="substitution"><sch:value-of select="./name()"/></span> is an invalid value of '<span class="substitution"><sch:value-of select="lv:sensitivity-level(/)"/></span>', not an allowed value of <span class="substitution"><sch:value-of select="$corrections"/></span>. No more validation processing can occur.</span></div><div>context: <code>/o:system-security-plan</code></div><div>test: <code>empty($ok-values) or not(exists($corrections))</code></div><div>role: <code>fatal</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 2.1 ➔ when the security sensitivity level ➔ is set to a value from the official FedRAMP list ➔ it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 2.1 ➔ when the security sensitivity level ➔ is not set to a value from the official FedRAMP list ➔ it is invalid.</div><div>FedRAMP checklist-reference: Section C Check 1.a</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.2</div><div>FedRAMP template-reference: System Security Plan Template §2.2</div></td></tr><tr><td><div id="implemented-response-points">implemented-response-points</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must implement a statement for each of the following lettered response points for required | |
| controls: <span class="substitution"><sch:value-of select="$implemented/@statement-id"/></span>.</span></div><div>context: <code>/o:system-security-plan</code></div><div>test: <code>exists($implemented)</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div></td></tr><tr><td><div id="each-required-control-report">each-required-control-report</div></td><td><div>👍 <span class="assertion">The following <span class="substitution"><sch:value-of select="count($required-controls)"/></span><span class="substitution"><sch:value-of select=" if (count($required-controls) = 1) then ' control' else ' controls'"/></span> are required: <span class="substitution"><sch:value-of select="$required-controls/@id"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation</code></div><div>test: <code>count($required-controls) > 0</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div></td></tr><tr><td><div id="incomplete-core-implemented-requirements">incomplete-core-implemented-requirements</div></td><td><div>👍 <span class="assertion">[Section C Check 3] A FedRAMP SSP must implement the most important controls.</span></div><div>👎 <span class="diagnostic" title="incomplete-core-implemented-requirements-diagnostic">A FedRAMP SSP must implement the most important <span class="substitution"><sch:value-of select="count($core-missing)"/></span> core <span class="substitution"><sch:value-of select=" if (count($core-missing) = 1) then ' control' else ' controls'"/></span>: <span class="substitution"><sch:value-of select="$core-missing/@id"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation</code></div><div>test: <code>not(exists($core-missing))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when the most important core controls are defined ➔ and these controls do not have implemented requirements ➔ it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when the most important core controls are defined ➔ and these controls do not have implemented requirements ➔ it is invalid.</div><div>FedRAMP checklist-reference: Section C Check 3</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div></td></tr><tr><td><div id="incomplete-all-implemented-requirements">incomplete-all-implemented-requirements</div></td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must implement all required controls.</span></div><div>👎 <span class="diagnostic" title="incomplete-all-implemented-requirements-diagnostic">A FedRAMP SSP must implement <span class="substitution"><sch:value-of select="count($all-missing)"/></span><span class="substitution"><sch:value-of select=" if (count($all-missing) = 1) then ' control' else ' controls'"/></span> overall: <span class="substitution"><sch:value-of select="$all-missing/@id"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation</code></div><div>test: <code>not(exists($all-missing))</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and all required implementations are not yet complete ➔ it is invalid.</div><div>FedRAMP checklist-reference: Section C Check 2</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="extraneous-implemented-requirements">extraneous-implemented-requirements</div></td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must not include implemented controls beyond what is required for | |
| the applied baseline.</span></div><div>👎 <span class="diagnostic" title="extraneous-implemented-requirements-diagnostic">A FedRAMP SSP must implement <span class="substitution"><sch:value-of select="count($extraneous)"/></span> extraneous <span class="substitution"><sch:value-of select=" if (count($extraneous) = 1) then ' control' else ' controls'"/></span> not needed given the selected profile: <span class="substitution"><sch:value-of select="$extraneous/@control-id"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation</code></div><div>test: <code>not(exists($extraneous))</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when no extraneous control is implemented except those required by the profile ➔ it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when an extraneous control not required by the profile is implemented ➔ it is invalid.</div><div>FedRAMP checklist-reference: Section C Check 2</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="control-implemented-requirements-stats">control-implemented-requirements-stats</div></td><td><div>👍 <span class="assertion"><span class="substitution"><sch:value-of select="$results => lv:report() => normalize-space()"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation</code></div><div>test: <code>count($results/errors/error) = 0</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div></td></tr><tr><td><div id="invalid-implementation-status">invalid-implementation-status</div></td><td><div>👍 <span class="assertion">[Section C Check 2] Implementation status is correct.</span></div><div>👎 <span class="diagnostic" title="invalid-implementation-status-diagnostic">Invalid implementation status '<span class="substitution"><sch:value-of select="$status"/></span>' for <span class="substitution"><sch:value-of select="./@control-id"/></span>, must be <span class="substitution"><sch:value-of select="$corrections"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement</code></div><div>test: <code>not(exists($corrections))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and requirements are implemented ➔ and any control's implemented requirement is defined with an invalid status ➔ it is invalid.</div><div>FedRAMP checklist-reference: Section C Check 2</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.3</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="missing-response-points">missing-response-points</div></td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must have required response points.</span></div><div>👎 <span class="diagnostic" title="missing-response-points-diagnostic">This FedRAMP SSP lacks a statement for each of the following lettered response points for required | |
| controls: <span class="substitution"><sch:value-of select="$missing/@id"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement</code></div><div>test: <code>not(exists($missing))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and the profile defines specific response points to address specific control requirements ➔ and response points are properly defined ➔ and response points are missing ➔ it generates an error because missing response points are invalid. ➔ it generates an error because missing response points are invalid.</div><div>FedRAMP checklist-reference: Section C Check 2</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="missing-response-components">missing-response-components</div></td><td><div>👍 <span class="assertion">[Section D Checks] Response statements have sufficient | |
| components.</span></div><div>👎 <span class="diagnostic" title="missing-response-components-diagnostic">Response statements for <span class="substitution"><sch:value-of select="./@statement-id"/></span> must have at least <span class="substitution"><sch:value-of select="$required-components-count"/></span><span class="substitution"><sch:value-of select=" if (count($components-count) = 1) then ' component' else ' components'"/></span> with a description. There are <span class="substitution"><sch:value-of select="$components-count"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement</code></div><div>test: <code>$components-count >= $required-components-count</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div><div>FedRAMP checklist-reference: Section D Checks</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="extraneous-response-description">extraneous-response-description</div></td><td><div>👍 <span class="assertion">[Section D Checks] Response statement does not have a description not within a component.</span></div><div>👎 <span class="diagnostic" title="extraneous-response-description-diagnostic">Response statement <span class="substitution"><sch:value-of select="../@statement-id"/></span> has a description not within a component. That was previously allowed, but not recommended. It will soon | |
| be syntactically invalid and deprecated.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:description</code></div><div>test: <code>. => empty()</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have explanatory statement descriptions defined directly in the statement ➔ it generates a warning.</div><div>FedRAMP checklist-reference: Section D Checks</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="extraneous-response-remarks">extraneous-response-remarks</div></td><td><div>👍 <span class="assertion">[Section D Checks] Response statement does not have remarks not within a component.</span></div><div>👎 <span class="diagnostic" title="extraneous-response-remarks-diagnostic">Response statement <span class="substitution"><sch:value-of select="../@statement-id"/></span> has remarks not within a component. That was previously allowed, but not recommended. It will soon be | |
| syntactically invalid and deprecated.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:remarks</code></div><div>test: <code>. => empty()</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have explanatory statement remarks defined directly in the statement ➔ it generates a warning.</div><div>FedRAMP checklist-reference: Section D Checks</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="invalid-component-match">invalid-component-match</div></td><td><div>👍 <span class="assertion">[Section D Checks] Response | |
| statement cites a component in the system implementation inventory.</span></div><div>👎 <span class="diagnostic" title="invalid-component-match-diagnostic">Response statement <span class="substitution"><sch:value-of select="../@statement-id"/></span> with component reference UUID ' <span class="substitution"><sch:value-of select="$component-ref"/></span>' is not in the system implementation inventory, and cannot be used to define a control.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component</code></div><div>test: <code>/o:system-security-plan/o:system-implementation/o:component[@uuid = $component-ref] => exists()</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have a component reference ➔ and it references a component with a valid ID. ➔ it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have a component reference ➔ and it references a component with an ID not previously declared. ➔ and it references a component with an ID and no components are declared. ➔ it generates a warning. ➔ it generates a warning.</div><div>FedRAMP checklist-reference: Section D Checks</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="missing-component-description">missing-component-description</div></td><td><div>👍 <span class="assertion">[Section D Checks] Response statement has a component which has a required | |
| description.</span></div><div>👎 <span class="diagnostic" title="missing-component-description-diagnostic">Response statement <span class="substitution"><sch:value-of select="../@statement-id"/></span> has a component, but that component is missing a required description node.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component</code></div><div>test: <code>./o:description => exists()</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have explanatory statement in a component reference ➔ and the component reference has a description ➔ it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have explanatory statement in a component reference ➔ and the component reference has no description ➔ it is valid.</div><div>FedRAMP checklist-reference: Section D Checks</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="incomplete-response-description">incomplete-response-description</div></td><td><div>👍 <span class="assertion">[Section D Checks] Response statement component description has adequate | |
| length.</span></div><div>👎 <span class="diagnostic" title="incomplete-response-description-diagnostic">Response statement component description for <span class="substitution"><sch:value-of select="../../@statement-id"/></span> is too short with <span class="substitution"><sch:value-of select="$description-length"/></span> characters. It must be <span class="substitution"><sch:value-of select="$required-length"/></span> characters long.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component/o:description</code></div><div>test: <code>$description-length >= $required-length</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have explanatory statement descriptions properly defined in a component reference ➔ and it is sufficiently long ➔ it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have explanatory statement descriptions properly defined in a component reference ➔ and it is not sufficiently long ➔ it is invalid.</div><div>FedRAMP checklist-reference: Section D Checks</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="incomplete-response-remarks">incomplete-response-remarks</div></td><td><div>👍 <span class="assertion">[Section D Checks] Response statement component remarks have adequate | |
| length.</span></div><div>👎 <span class="diagnostic" title="incomplete-response-remarks-diagnostic">Response statement component remarks for <span class="substitution"><sch:value-of select="../../@statement-id"/></span> is too short with <span class="substitution"><sch:value-of select="$remarks-length"/></span> characters. It must be <span class="substitution"><sch:value-of select="$required-length"/></span> characters long.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component/o:remarks</code></div><div>test: <code>$remarks-length >= $required-length</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have explanatory statement remarks properly defined in a component reference ➔ and it is sufficiently long ➔ it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 13 ➔ when control implementations are defined ➔ and implemented requirements have explanatory statement remarks properly defined in a component reference ➔ and it is not sufficiently long ➔ it is invalid.</div><div>FedRAMP checklist-reference: Section D Checks</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="incorrect-role-association">incorrect-role-association</div></td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must define a responsible party with no extraneous | |
| roles.</span></div><div>👎 <span class="diagnostic" title="incorrect-role-association-diagnostic">A FedRAMP SSP must define a responsible party with <span class="substitution"><sch:value-of select="count($extraneous-roles)"/></span><span class="substitution"><sch:value-of select=" if (count($extraneous-roles) = 1) then ' role' else ' roles'"/></span> not defined in the role: <span class="substitution"><sch:value-of select="$extraneous-roles/@role-id"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:metadata</code></div><div>test: <code>not(exists($extraneous-roles))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 6 ➔ when responsible party ➔ references a valid role and valid party ➔ role positive case.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 6 ➔ when responsible party ➔ references an invalid role but valid party ➔ references an invalid role and invalid party ➔ role-id referenced is not defined case. ➔ role-id referenced is not defined case.</div><div>FedRAMP checklist-reference: Section C Check 2</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="incorrect-party-association">incorrect-party-association</div></td><td><div>👍 <span class="assertion">[Section C Check 2] A FedRAMP SSP must define a responsible party with no extraneous | |
| parties.</span></div><div>👎 <span class="diagnostic" title="incorrect-party-association-diagnostic">A FedRAMP SSP must define a responsible party with <span class="substitution"><sch:value-of select="count($extraneous-parties)"/></span><span class="substitution"><sch:value-of select=" if (count($extraneous-parties) = 1) then ' party' else ' parties'"/></span> is not a defined party: <span class="substitution"><sch:value-of select="$extraneous-parties/o:party-uuid"/></span>.</span></div><div>context: <code>/o:system-security-plan/o:metadata</code></div><div>test: <code>not(exists($extraneous-parties))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 6 ➔ when responsible party ➔ references a valid role and valid party ➔ party positive case.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Section 6 ➔ when responsible party ➔ references a valid role but invalid party ➔ references an invalid role and invalid party ➔ party-uuid referenced is not defined, case. ➔ party-uuid referenced is not defined, case.</div><div>FedRAMP checklist-reference: Section C Check 2</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="resource-uuid-required">resource-uuid-required</div></td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation has a unique identifier.</span></div><div>👎 <span class="diagnostic" title="resource-uuid-required-diagnostic">This FedRAMP SSP has a back-matter resource which lacks a UUID.</span></div><div>context: <code>/o:system-security-plan/o:back-matter/o:resource</code></div><div>test: <code>@uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP ➔ Chapter 15 ➔ when required attachments ➔ specified via back matter resource ➔ has missing required fields ➔ back-matter resource missing uuid attribute.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="resource-base64-available-filename">resource-base64-available-filename</div></td><td><div>👍 <span class="assertion">Every declared embedded attachment has a filename attribute.</span></div><div>👎 <span class="diagnostic" title="resource-base64-available-filename-diagnostic">This base64 lacks a filename attribute.</span></div><div>context: <code>/o:system-security-plan/o:back-matter/o:resource/o:base64</code></div><div>test: <code>./@filename</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP Content §4.10</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="resource-base64-available-media-type">resource-base64-available-media-type</div></td><td><div>👍 <span class="assertion">Every declared embedded attachment has a media type.</span></div><div>👎 <span class="diagnostic" title="resource-base64-available-media-type-diagnostic">This base64 lacks a media-type attribute.</span></div><div>context: <code>/o:system-security-plan/o:back-matter/o:resource/o:base64</code></div><div>test: <code>./@media-type</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP Content §4.10</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="resource-has-uuid">resource-has-uuid</div></td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation must have a unique identifier.</span></div><div>👎 <span class="diagnostic" title="resource-has-uuid-diagnostic">This resource lacks a uuid attribute.</span></div><div>context: <code>oscal:resource</code></div><div>test: <code>@uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource ➔ has a uuid ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource ➔ lacks a uuid ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="resource-has-title">resource-has-title</div></td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation should have a title.</span></div><div>👎 <span class="diagnostic" title="resource-has-title-diagnostic">This resource lacks a title.</span></div><div>context: <code>oscal:resource</code></div><div>test: <code>oscal:title</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource ➔ has a title ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource ➔ lacks a title ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="resource-has-rlink">resource-has-rlink</div></td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation must have a rlink element.</span></div><div>👎 <span class="diagnostic" title="resource-has-rlink-diagnostic">This resource lacks a rlink element.</span></div><div>context: <code>oscal:resource</code></div><div>test: <code>oscal:rlink</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource ➔ has a rlink ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource ➔ lacks a rlink ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="resource-is-referenced">resource-is-referenced</div></td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation should be | |
| referenced from within the document.</span></div><div>👎 <span class="diagnostic" title="resource-is-referenced-diagnostic">This resource lacks a reference within the document.</span></div><div>context: <code>oscal:resource</code></div><div>test: <code>@uuid = (//@href[matches(., '^#')] ! substring-after(., '#'))</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource ➔ is referenced ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource ➔ is not referenced ➔ that is an anomaly</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="attachment-type-is-valid">attachment-type-is-valid</div></td><td><div>👍 <span class="assertion">A supporting artifact found in a citation should have an allowed attachment type.</span></div><div>👎 <span class="diagnostic" title="attachment-type-is-valid-diagnostic">Found unknown attachment type «<span class="substitution"><sch:value-of select="@value"/></span>» in <span class="substitution"><sch:value-of select=" if (parent::oscal:resource/oscal:title) then concat('"', parent::oscal:resource/oscal:title, '"') else 'untitled'"/></span> resource.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:prop[@name = 'type']</code></div><div>test: <code>@value = $attachment-types</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource attachment type ➔ is allowed ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when a resource attachment type ➔ is not allowed ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="rlink-has-href">rlink-has-href</div></td><td><div>👍 <span class="assertion">Every supporting artifact found in a citation rlink must have a reference.</span></div><div>👎 <span class="diagnostic" title="rlink-has-href-diagnostic">This rlink lacks an href attribute.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:rlink</code></div><div>test: <code>@href</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when an rlink ➔ has an href ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when an rlink ➔ lacks an href ➔ that is correct</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="has-allowed-media-type">has-allowed-media-type</div></td><td><div>👍 <span class="assertion">A media-type attribute must have an allowed value.</span></div><div>👎 <span class="diagnostic" title="has-allowed-media-type-diagnostic">This <span class="substitution"><sch:value-of select="name(parent::node())"/></span> has a media-type="<span class="substitution"><sch:value-of select="current()/@media-type"/></span>" which is not in the list of allowed media types. Allowed media types are <span class="substitution"><sch:value-of select="string-join($media-types, ' ∨ ')"/></span>.</span></div><div>context: <code>oscal:rlink | oscal:base64</code></div><div>test: <code>@media-type = $media-types</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the media-type attribute ➔ has an allowed value ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the media-type attribute ➔ lacks an allowed value ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="resource-has-base64">resource-has-base64</div></td><td><div>👍 <span class="assertion">A supporting artifact found in a citation should have an embedded attachment element.</span></div><div>👎 <span class="diagnostic" title="resource-has-base64-diagnostic">This resource lacks a base64 element.</span></div><div>context: <code>oscal:back-matter/oscal:resource</code></div><div>test: <code>oscal:base64</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ is missing ➔ that is a warning</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="resource-has-base64-cardinality">resource-has-base64-cardinality</div></td><td><div>👍 <span class="assertion">A supporting artifact found in a citation must have only one embedded attachment element.</span></div><div>👎 <span class="diagnostic" title="resource-base64-cardinality-diagnostic">This resource must not have more than one base64 element.</span></div><div>context: <code>oscal:back-matter/oscal:resource</code></div><div>test: <code>not(oscal:base64[2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ is singular ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ is duplicative ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="base64-has-filename">base64-has-filename</div></td><td><div>👍 <span class="assertion">Every embedded attachment element must have a filename attribute.</span></div><div>👎 <span class="diagnostic" title="base64-has-filename-diagnostic">This base64 must have a filename attribute.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:base64</code></div><div>test: <code>@filename</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ has @filename ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ lacks @filename ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="base64-has-media-type">base64-has-media-type</div></td><td><div>👍 <span class="assertion">Every embedded attachment element must have a media type.</span></div><div>👎 <span class="diagnostic" title="base64-has-media-type-diagnostic">This base64 element lacks a media-type attribute.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:base64</code></div><div>test: <code>@media-type</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ has @media-type ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ lacks @media-type ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="base64-has-content">base64-has-content</div></td><td><div>👍 <span class="assertion"> Every | |
| embedded attachment element must have content.</span></div><div>👎 <span class="diagnostic" title="base64-has-content-diagnostic">This base64 element lacks content.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:base64</code></div><div>test: <code>matches(normalize-space(), '^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/][AQgw]==|[A-Za-z0-9+/]{2}[AEIMQUYcgkosw048]=)?$')</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ has content ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ General: ➔ when the base64 element ➔ lacks content ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.1</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="has-fedramp-acronyms">has-fedramp-acronyms</div></td><td><div>👍 <span class="assertion">A FedRAMP | |
| OSCAL SSP must have the FedRAMP Master Acronym and Glossary attached.</span></div><div>👎 <span class="diagnostic" title="has-fedramp-acronyms-diagnostic">This FedRAMP OSCAL SSP lacks the FedRAMP Master Acronym and Glossary.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'fedramp-acronyms']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the FedRAMP Master Acronym and Glossary attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the FedRAMP Master Acronym and Glossary attachment ➔ is absent ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP Content §4.8</div><div>FedRAMP template-reference: System Security Plan Template §14</div></td></tr><tr><td><div id="has-fedramp-citations">has-fedramp-citations</div></td><td><div>👍 <span class="assertion"> [Section | |
| B Check 3.12] A FedRAMP SSP must have the FedRAMP Applicable Laws and Regulations attached.</span></div><div>👎 <span class="diagnostic" title="has-fedramp-citations-diagnostic">This FedRAMP OSCAL SSP lacks the FedRAMP Applicable Laws and Regulations.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'fedramp-citations']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the FedRAMP Applicable Laws and Regulations attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the FedRAMP Applicable Laws and Regulations attachment ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.12</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP Content §4.10</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 12</div></td></tr><tr><td><div id="has-fedramp-logo">has-fedramp-logo</div></td><td><div>👍 <span class="assertion">A FedRAMP OSCAL | |
| SSP must have the FedRAMP Logo attached.</span></div><div>👎 <span class="diagnostic" title="has-fedramp-logo-diagnostic">This FedRAMP OSCAL SSP lacks the FedRAMP Logo.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'fedramp-logo']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the FedRAMP logo attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the FedRAMP logo attachment ➔ is absent ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP Content §4.1</div></td></tr><tr><td><div id="has-user-guide">has-user-guide</div></td><td><div>👍 <span class="assertion">[Section B Check | |
| 3.2] A FedRAMP SSP must have a User Guide attached.</span></div><div>👎 <span class="diagnostic" title="has-user-guide-diagnostic">This FedRAMP OSCAL SSP lacks a User Guide.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'user-guide']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the User Guide attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the User Guide attachment ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.2</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 2</div></td></tr><tr><td><div id="has-rules-of-behavior">has-rules-of-behavior</div></td><td><div>👍 <span class="assertion"> [Section | |
| B Check 3.5] A FedRAMP SSP must have Rules of Behavior.</span></div><div>👎 <span class="diagnostic" title="has-rules-of-behavior-diagnostic">This FedRAMP OSCAL SSP lacks a Rules of Behavior.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'rules-of-behavior']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Rules of Behavior attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Rules of Behavior attachment ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.5</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 5</div></td></tr><tr><td><div id="has-information-system-contingency-plan">has-information-system-contingency-plan</div></td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.6] A FedRAMP SSP must have a Contingency Plan attached.</span></div><div>👎 <span class="diagnostic" title="has-information-system-contingency-plan-diagnostic">This FedRAMP OSCAL SSP lacks a Contingency Plan.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'information-system-contingency-plan']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Contingency Plan attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Contingency Plan attachment ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.6</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 6</div></td></tr><tr><td><div id="has-configuration-management-plan">has-configuration-management-plan</div></td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.7] A FedRAMP SSP must have a Configuration Management Plan attached.</span></div><div>👎 <span class="diagnostic" title="has-configuration-management-plan-diagnostic">This FedRAMP OSCAL SSP lacks a Configuration Management Plan.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'configuration-management-plan']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Configuration Management Plan attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Configuration Management Plan attachment ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.7</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 7</div></td></tr><tr><td><div id="has-incident-response-plan">has-incident-response-plan</div></td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.8] A FedRAMP SSP must have an Incident Response Plan attached.</span></div><div>👎 <span class="diagnostic" title="has-incident-response-plan-diagnostic">This FedRAMP OSCAL SSP lacks an Incident Response Plan.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'incident-response-plan']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Incident Response Plan attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Incident Response Plan attachment ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.8</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 8</div></td></tr><tr><td><div id="has-separation-of-duties-matrix">has-separation-of-duties-matrix</div></td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.11] A FedRAMP SSP must have a Separation of Duties Matrix attached.</span></div><div>👎 <span class="diagnostic" title="has-separation-of-duties-matrix-diagnostic">This FedRAMP OSCAL SSP lacks a Separation of Duties Matrix.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'separation-of-duties-matrix']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Separation of Duties Matrix attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ when the Separation of Duties Matrix attachment ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.11</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 11</div></td></tr><tr><td><div id="has-policy-link">has-policy-link</div></td><td><div>👍 <span class="assertion">[Section B Check 3.1] A FedRAMP SSP must incorporate a policy | |
| document for each of the 17 NIST SP 800-54 Revision 4 control families.</span></div><div>👎 <span class="diagnostic" title="has-policy-link-diagnostic"><span class="substitution"><sch:value-of select="local-name()"/></span><span class="substitution"><sch:value-of select="@control-id"/></span> lacks policy reference(s) (via by-component link).</span></div><div>context: <code>oscal:implemented-requirement[matches(@control-id, '^[a-z]{2}-1$')]</code></div><div>test: <code>descendant::oscal:by-component/oscal:link[@rel = 'policy']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for the policy facet of P&P controls, ➔ when the policy link to the resource declaring the policy document attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for the policy facet of P&P controls, ➔ when the policy link to the resource declaring the policy document attachment ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.1</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 1</div></td></tr><tr><td><div id="has-policy-attachment-resource">has-policy-attachment-resource</div></td><td><div>👍 <span class="assertion">[Section B | |
| Check 3.1] A FedRAMP SSP must incorporate a policy document for each of the 17 NIST SP 800-54 Revision 4 control | |
| families.</span></div><div>👎 <span class="diagnostic" title="has-policy-attachment-resource-diagnostic"><span class="substitution"><sch:value-of select="local-name()"/></span><span class="substitution"><sch:value-of select="@control-id"/></span> lacks policy attachment resource(s) <span class="substitution"><sch:value-of select="string-join($policy-hrefs, ', ')"/></span>.</span></div><div>context: <code>oscal:implemented-requirement[matches(@control-id, '^[a-z]{2}-1$')]</code></div><div>test: <code> every $ref in $policy-hrefs satisfies exists(//oscal:resource[oscal:prop[@name = 'type' and @value = 'policy']][@uuid = $ref])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for the policy facet of P&P controls, ➔ when the policy attachment resource ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for the policy facet of P&P controls, ➔ when the policy attachment resource ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.1</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 1</div></td></tr><tr><td><div id="has-procedure-link">has-procedure-link</div></td><td><div>👍 <span class="assertion">[Section B Check 3.1] A FedRAMP SSP must incorporate a procedure | |
| document for each of the 17 NIST SP 800-54 Revision 4 control families.</span></div><div>👎 <span class="diagnostic" title="has-procedure-link-diagnostic"><span class="substitution"><sch:value-of select="local-name()"/></span><span class="substitution"><sch:value-of select="@control-id"/></span> lacks procedure reference(s) (via by-component link).</span></div><div>context: <code>oscal:implemented-requirement[matches(@control-id, '^[a-z]{2}-1$')]</code></div><div>test: <code>descendant::oscal:by-component/oscal:link[@rel = 'procedure']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for the procedure facet of P&P controls, ➔ when the procedure link to the resource declaring the procedure document attachment ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for the procedure facet of P&P controls, ➔ when the procedure link to the resource declaring the procedure document attachment ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.1</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15</div></td></tr><tr><td><div id="has-procedure-attachment-resource">has-procedure-attachment-resource</div></td><td><div>👍 <span class="assertion">[Section | |
| B Check 3.1] A FedRAMP SSP must incorporate a procedure document for each of the 17 NIST SP 800-54 Revision 4 control | |
| families.</span></div><div>👎 <span class="diagnostic" title="has-procedure-attachment-resource-diagnostic"><span class="substitution"><sch:value-of select="local-name()"/></span><span class="substitution"><sch:value-of select="@control-id"/></span> lacks procedure attachment resource(s) <span class="substitution"><sch:value-of select="string-join($procedure-hrefs, ', ')"/></span>.</span></div><div>context: <code>oscal:implemented-requirement[matches(@control-id, '^[a-z]{2}-1$')]</code></div><div>test: <code> (: targets of links exist in the document :) every $ref in $procedure-hrefs satisfies exists(//oscal:resource[oscal:prop[@name = 'type' and @value = 'procedure']][@uuid = $ref])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for the procedure facet of P&P controls, ➔ when the procedure attachment resource ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for the procedure facet of P&P controls, ➔ when the procedure attachment resource ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.1</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 1</div></td></tr><tr><td><div id="has-reuse">has-reuse</div></td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.1] Policy and procedure documents must have unique per-control-family associations.</span></div><div>👎 <span class="diagnostic" title="has-reuse-diagnostic">A policy or procedure reference was incorrectly re-used.</span></div><div>context: <code>oscal:by-component/oscal:link[@rel = ('policy', 'procedure')]</code></div><div>test: <code> (: the current @href is in :) @href = (: all controls except the current :) (//oscal:implemented-requirement[matches(@control-id, '^[a-z]{2}-1$')] except $ir) (: all their @hrefs :)/descendant::oscal:by-component/oscal:link[@rel = 'policy']/@href</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for all P&P controls, ➔ when no resource is re-used ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments ➔ Required attachments: ➔ Policy and Procedure Attachments: ➔ for all P&P controls, ➔ when a resource is inappropriately re-used ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.1</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 1</div></td></tr><tr><td><div id="has-privacy-poc-role">has-privacy-poc-role</div></td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP SSP must incorporate | |
| a Privacy Point of Contact role.</span></div><div>👎 <span class="diagnostic" title="has-privacy-poc-role-diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Point of Contact role.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>/oscal:system-security-plan/oscal:metadata/oscal:role[@id = 'privacy-poc']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-poc role ➔ is defined ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-poc role ➔ is missing ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.2</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-responsible-party-privacy-poc-role">has-responsible-party-privacy-poc-role</div></td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP | |
| OSCAL SSP must declare a Privacy Point of Contact responsible party role reference.</span></div><div>👎 <span class="diagnostic" title="has-responsible-party-privacy-poc-role-diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Point of Contact responsible party role | |
| reference.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>/oscal:system-security-plan/oscal:metadata/oscal:responsible-party[@role-id = 'privacy-poc']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-poc responsible-party ➔ is defined ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-poc responsible-party ➔ is missing ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.2</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-responsible-privacy-poc-party-uuid">has-responsible-privacy-poc-party-uuid</div></td><td><div>👍 <span class="assertion">[Section B Check | |
| 3.4] A FedRAMP SSP must declare a Privacy Point of Contact responsible party role reference identifying the party by unique | |
| identifier.</span></div><div>👎 <span class="diagnostic" title="has-responsible-privacy-poc-party-uuid-diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Point of Contact responsible party role | |
| reference identifying the party by UUID.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>/oscal:system-security-plan/oscal:metadata/oscal:responsible-party[@role-id = 'privacy-poc']/oscal:party-uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-poc responsible-party uuid ➔ is declared ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-poc responsible-party uuid ➔ is missing ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.2</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-privacy-poc">has-privacy-poc</div></td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP SSP must define a | |
| Privacy Point of Contact.</span></div><div>👎 <span class="diagnostic" title="has-privacy-poc-diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Point of Contact.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>/oscal:system-security-plan/oscal:metadata/oscal:party[@uuid = $poc-uuid]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-poc ➔ is declared ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-poc ➔ is missing ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.2</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-correct-yes-or-no-answer">has-correct-yes-or-no-answer</div></td><td><div>👍 <span class="assertion">[Section B Check 3.4] A Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) | |
| qualifying question must have an allowed answer.</span></div><div>👎 <span class="diagnostic" title="has-correct-yes-or-no-answer-diagnostic">This property has an incorrect value: should be "yes" or "no".</span></div><div>context: <code>oscal:prop[@name = 'privacy-sensitive'] | oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and matches(@name, '^pta-\d$')]</code></div><div>test: <code>current()/@value = ('yes', 'no')</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-sensitive designation value ➔ is yes or no ➔ when the PTA/PIA qualifying question ➔ #1 ➔ is properly answered ➔ #2 ➔ is properly answered ➔ #3 ➔ is properly answered ➔ #4 ➔ is properly answered ➔ that is correct ➔ that is correct ➔ that is correct ➔ that is correct ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-sensitive designation value ➔ is not yes or no ➔ when the PTA/PIA qualifying question ➔ #1 ➔ is not properly answered ➔ #2 ➔ is not properly answered ➔ #3 ➔ is not properly answered ➔ #4 ➔ is not properly answered ➔ that is an error ➔ that is an error ➔ that is an error ➔ that is an error ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-privacy-sensitive-designation">has-privacy-sensitive-designation</div></td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP SSP must have a privacy-sensitive | |
| designation.</span></div><div>👎 <span class="diagnostic" title="has-privacy-sensitive-designation-diagnostic">The privacy-sensitive designation is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@name = 'privacy-sensitive']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-sensitive designation ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the privacy-sensitive designation ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-pta-question-1">has-pta-question-1</div></td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL | |
| SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #1.</span></div><div>👎 <span class="diagnostic" title="has-pta-question-1-diagnostic">The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #1 is | |
| missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-1']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question ➔ #1 ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question ➔ #1 ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-pta-question-2">has-pta-question-2</div></td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL | |
| SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #2.</span></div><div>👎 <span class="diagnostic" title="has-pta-question-2-diagnostic">The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #2 is | |
| missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-2']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question ➔ #2 ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question ➔ #2 ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-pta-question-3">has-pta-question-3</div></td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL | |
| SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #3.</span></div><div>👎 <span class="diagnostic" title="has-pta-question-3-diagnostic">The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #3 is | |
| missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-3']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question ➔ #3 ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question ➔ #3 ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-pta-question-4">has-pta-question-4</div></td><td><div>👍 <span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL | |
| SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #4.</span></div><div>👎 <span class="diagnostic" title="has-pta-question-4-diagnostic">The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #4 is | |
| missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-4']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question ➔ #4 ➔ is present ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question ➔ #4 ➔ is absent ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-all-pta-questions">has-all-pta-questions</div></td><td><div>👍 <span class="assertion">[Section | |
| B Check 3.4] A FedRAMP SSP must have all four PTA questions.</span></div><div>👎 <span class="diagnostic" title="has-all-pta-questions-diagnostic">One or more of the four PTA questions is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code> every $name in ('pta-1', 'pta-2', 'pta-3', 'pta-4') satisfies exists(oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = $name])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ A FedRAMP OSCAL SSP must have all PTA questions. ➔ When this is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ A FedRAMP OSCAL SSP must have all PTA questions. ➔ When this is false ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-correct-pta-question-cardinality">has-correct-pta-question-cardinality</div></td><td><div>👍 <span class="assertion">[Section | |
| B Check 3.4] A FedRAMP SSP must have no duplicate PTA questions.</span></div><div>👎 <span class="diagnostic" title="has-correct-pta-question-cardinality-diagnostic">One or more of the four PTA questions is a duplicate.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code> not(some $name in ('pta-1', 'pta-2', 'pta-3', 'pta-4') satisfies exists(oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = $name][2]))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ A FedRAMP OSCAL SSP must have no duplicate PTA questions. ➔ When this is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ A FedRAMP OSCAL SSP must have no duplicate PTA questions. ➔ When this is false ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-sorn">has-sorn</div></td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.4] A FedRAMP SSP may have a SORN ID.</span></div><div>👎 <span class="diagnostic" title="has-sorn-diagnostic">The SORN ID is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-4' and @value = 'yes'] and oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'sorn-id' (: and @value != '':)]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question #4 is answered affirmatively ➔ and the SORN ID is provided ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the PTA/PIA qualifying question #4 is answered affirmatively ➔ and the SORN ID is not provided ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-pia">has-pia</div></td><td><div>👍 <span class="assertion"> | |
| [Section B Check 3.4] This FedRAMP SSP must incorporate a Privacy Impact Analysis.</span></div><div>👎 <span class="diagnostic" title="has-pia-diagnostic">This FedRAMP OSCAL SSP lacks a Privacy Impact Analysis.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code> every $answer in //oscal:system-information/oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and matches(@name, '^pta-\d$')] satisfies $answer = 'no' or oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'pia']] (: a PIA is attached :)</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the Privacy Impact Assessment ➔ is declared ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components ➔ when the Privacy Impact Assessment ➔ is missing ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.4</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.4</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 4</div></td></tr><tr><td><div id="has-CMVP-validation">has-CMVP-validation</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must incorporate one or more FIPS 140 validated modules.</span></div><div>👎 <span class="diagnostic" title="has-CMVP-validation-diagnostic">This FedRAMP OSCAL SSP does not declare one or more FIPS 140 validated modules.</span></div><div>context: <code>oscal:system-implementation</code></div><div>test: <code>oscal:component[@type = 'validation']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a system-implementation ➔ has a CMVP validation component ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a system-implementation ➔ lacks a CMVP validation component ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans Appendix A</div></td></tr><tr><td><div id="has-CMVP-validation-reference">has-CMVP-validation-reference</div></td><td><div>👍 <span class="assertion">Every FIPS 140 validation citation must have a validation reference.</span></div><div>👎 <span class="diagnostic" title="has-CMVP-validation-reference-diagnostic">This validation component or inventory-item lacks a validation-reference | |
| property.</span></div><div>context: <code>oscal:component[@type = 'validation']</code></div><div>test: <code>oscal:prop[@name = 'validation-reference']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation component ➔ has a validation-reference property ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation component ➔ lacks a validation-reference property ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans Appendix A</div></td></tr><tr><td><div id="has-CMVP-validation-details">has-CMVP-validation-details</div></td><td><div>👍 <span class="assertion">Every FIPS 140 validation citation must have validation details.</span></div><div>👎 <span class="diagnostic" title="has-CMVP-validation-details-diagnostic">This validation component or inventory-item lacks a validation-details link.</span></div><div>context: <code>oscal:component[@type = 'validation']</code></div><div>test: <code>oscal:link[@rel = 'validation-details']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation component ➔ has a validation-details property ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation component ➔ lacks a validation-details property ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans Appendix A</div></td></tr><tr><td><div id="has-credible-CMVP-validation-reference">has-credible-CMVP-validation-reference</div></td><td><div>👍 <span class="assertion">A validation reference must provide a NIST Cryptographic Module Validation Program (CMVP) | |
| certificate number.</span></div><div>👎 <span class="diagnostic" title="has-credible-CMVP-validation-reference-diagnostic">This validation-reference property does not resemble a CMVP certificate | |
| number.</span></div><div>context: <code>oscal:prop[@name = 'validation-reference']</code></div><div>test: <code>matches(@value, '^\d{3,4}$')</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation-reference ➔ is credible ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation-reference ➔ is not credible ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans Appendix A</div></td></tr><tr><td><div id="has-consonant-CMVP-validation-reference">has-consonant-CMVP-validation-reference</div></td><td><div>👍 <span class="assertion">A validation reference must be | |
| in accord with its sibling validation details.</span></div><div>👎 <span class="diagnostic" title="has-consonant-CMVP-validation-reference-diagnostic">This validation-reference property does not match its sibling validation-details | |
| href.</span></div><div>context: <code>oscal:prop[@name = 'validation-reference']</code></div><div>test: <code>@value = tokenize(following-sibling::oscal:link[@rel = 'validation-details']/@href, '/')[last()]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation-reference ➔ is consonant ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation-reference ➔ is not consonant ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans Appendix A</div></td></tr><tr><td><div id="has-credible-CMVP-validation-details">has-credible-CMVP-validation-details</div></td><td><div>👍 <span class="assertion">A validation | |
| details must refer to a NIST Cryptographic Module Validation Program (CMVP) certificate detail page.</span></div><div>👎 <span class="diagnostic" title="has-credible-CMVP-validation-details-diagnostic">This validation-details link href attribute does not resemble a CMVP certificate | |
| URL.</span></div><div>context: <code>oscal:link[@rel = 'validation-details']</code></div><div>test: <code>matches(@href, '^https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/\d{3,4}$')</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation-details ➔ is credible ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation-details ➔ is not credible ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans Appendix A</div></td></tr><tr><td><div id="has-consonant-CMVP-validation-details">has-consonant-CMVP-validation-details</div></td><td><div>👍 <span class="assertion">A validation details link | |
| must be in accord with its sibling validation reference.</span></div><div>👎 <span class="diagnostic" title="has-consonant-CMVP-validation-details-diagnostic">This validation-details link href attribute does not match its sibling | |
| validation-reference value.</span></div><div>context: <code>oscal:link[@rel = 'validation-details']</code></div><div>test: <code>tokenize(@href, '/')[last()] = preceding-sibling::oscal:prop[@name = 'validation-reference']/@value</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation-details ➔ is consonant ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation ➔ when a CMVP validation-details ➔ is not consonant ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans Appendix A</div></td></tr><tr><td><div id="has-security-sensitivity-level">has-security-sensitivity-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify a FIPS 199 categorization.</span></div><div>👎 <span class="diagnostic" title="has-security-sensitivity-level-diagnostic">This FedRAMP OSCAL SSP lacks a FIPS 199 categorization.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:security-sensitivity-level</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a system-characteristics ➔ has security-sensitivity-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a system-characteristics ➔ lacks security-sensitivity-level ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.10</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.4</div><div>FedRAMP template-reference: System Security Plan Template §2</div></td></tr><tr><td><div id="has-security-impact-level">has-security-impact-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify a security impact level.</span></div><div>👎 <span class="diagnostic" title="has-security-impact-level-diagnostic">This FedRAMP OSCAL SSP lacks a security impact level.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:security-impact-level</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a system-characteristics ➔ has security-impact-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a system-characteristics ➔ lacks security-impact-level ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.10</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.4</div></td></tr><tr><td><div id="has-allowed-security-sensitivity-level">has-allowed-security-sensitivity-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify an allowed security sensitivity | |
| level.</span></div><div>👎 <span class="diagnostic" title="has-allowed-security-sensitivity-level-diagnostic">Invalid security-sensitivity-level "<span class="substitution"><sch:value-of select="."/></span>". It must have one of the following <span class="substitution"><sch:value-of select="count($security-sensitivity-levels)"/></span> values: <span class="substitution"><sch:value-of select="string-join($security-sensitivity-levels, ' ∨ ')"/></span>.</span></div><div>context: <code>oscal:security-sensitivity-level</code></div><div>test: <code>current() = $security-sensitivity-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-sensitivity-level ➔ has an allowed value ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-sensitivity-level ➔ lacks an allowed value ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.10</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.4</div><div>FedRAMP template-reference: System Security Plan Template §2</div></td></tr><tr><td><div id="has-security-objective-confidentiality">has-security-objective-confidentiality</div></td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify a confidentiality security | |
| objective.</span></div><div>👎 <span class="diagnostic" title="has-security-objective-confidentiality-diagnostic">This FedRAMP OSCAL SSP lacks a confidentiality security objective.</span></div><div>context: <code>oscal:security-impact-level</code></div><div>test: <code>oscal:security-objective-confidentiality</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-impact-level ➔ has a security-objective-confidentiality ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-impact-level ➔ lacks a security-objective-confidentiality ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.10</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.4</div><div>FedRAMP template-reference: System Security Plan Template §2.2</div></td></tr><tr><td><div id="has-security-objective-integrity">has-security-objective-integrity</div></td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify an integrity security | |
| objective.</span></div><div>👎 <span class="diagnostic" title="has-security-objective-integrity-diagnostic">This FedRAMP OSCAL SSP lacks an integrity security objective.</span></div><div>context: <code>oscal:security-impact-level</code></div><div>test: <code>oscal:security-objective-integrity</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-impact-level ➔ has a security-objective-integrity ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-impact-level ➔ lacks a security-objective-integrity ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.10</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.4</div><div>FedRAMP template-reference: System Security Plan Template §2.2</div></td></tr><tr><td><div id="has-security-objective-availability">has-security-objective-availability</div></td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify an availability security | |
| objective.</span></div><div>👎 <span class="diagnostic" title="has-security-objective-availability-diagnostic">This FedRAMP OSCAL SSP lacks an availability security objective.</span></div><div>context: <code>oscal:security-impact-level</code></div><div>test: <code>oscal:security-objective-availability</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-impact-level ➔ has a security-objective-availability ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-impact-level ➔ lacks a security-objective-availability ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.10</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.4</div><div>FedRAMP template-reference: System Security Plan Template §2.2</div></td></tr><tr><td><div id="has-allowed-security-objective-value">has-allowed-security-objective-value</div></td><td><div>👍 <span class="assertion">[Section B Check 3.10] A FedRAMP SSP must specify an allowed security objective | |
| value.</span></div><div>👎 <span class="diagnostic" title="has-allowed-security-objective-value-diagnostic">Invalid "<span class="substitution"><sch:value-of select="name()"/></span>" <span class="substitution"><sch:value-of select="."/></span>". It must have one of the following <span class="substitution"><sch:value-of select="count($security-objective-levels)"/></span> values: <span class="substitution"><sch:value-of select="string-join($security-objective-levels, ' ∨ ')"/></span>.</span></div><div>context: <code>oscal:security-objective-confidentiality | oscal:security-objective-integrity | oscal:security-objective-availability</code></div><div>test: <code>current() = $security-objective-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-objective ➔ has an allowed security objective value ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization ➔ when a security-objective ➔ lacks an allowed security objective value ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.10</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.4</div><div>FedRAMP template-reference: System Security Plan Template §2.2</div></td></tr><tr><td><div id="system-information-has-information-type">system-information-has-information-type</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify at least one information type.</span></div><div>👎 <span class="diagnostic" title="system-information-has-information-type-diagnostic">A FedRAMP OSCAL SSP lacks at least one information-type.</span></div><div>context: <code>oscal:system-information</code></div><div>test: <code>oscal:information-type</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a system-information ➔ has an information-type ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a system-information ➔ lacks an information-type ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2</div></td></tr><tr><td><div id="information-type-has-title">information-type-has-title</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have a title.</span></div><div>👎 <span class="diagnostic" title="information-type-has-title-diagnostic">A FedRAMP OSCAL SSP information-type lacks a title.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:title</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ has a title ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ lacks title ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="information-type-has-description">information-type-has-description</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have a description.</span></div><div>👎 <span class="diagnostic" title="information-type-has-description-diagnostic">A FedRAMP OSCAL SSP information-type lacks a description.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:description</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ has a description ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ lacks description ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="information-type-has-categorization">information-type-has-categorization</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have at least one categorization.</span></div><div>👎 <span class="diagnostic" title="information-type-has-categorization-diagnostic">A FedRAMP OSCAL SSP information-type lacks at least one | |
| categorization.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:categorization</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ has a categorization ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ lacks categorization ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="information-type-has-confidentiality-impact">information-type-has-confidentiality-impact</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have a confidentiality impact.</span></div><div>👎 <span class="diagnostic" title="information-type-has-confidentiality-impact-diagnostic">A FedRAMP OSCAL SSP information-type lacks a | |
| confidentiality-impact.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:confidentiality-impact</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ has a confidentiality-impact ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ lacks confidentiality-impact ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="information-type-has-integrity-impact">information-type-has-integrity-impact</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have an integrity impact.</span></div><div>👎 <span class="diagnostic" title="information-type-has-integrity-impact-diagnostic">A FedRAMP OSCAL SSP information-type lacks a integrity-impact.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:integrity-impact</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ has an integrity-impact ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ lacks integrity-impact ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="information-type-has-availability-impact">information-type-has-availability-impact</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type must have an availability impact.</span></div><div>👎 <span class="diagnostic" title="information-type-has-availability-impact-diagnostic">A FedRAMP OSCAL SSP information-type lacks a | |
| availability-impact.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:availability-impact</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ has an availability-impact ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when an information-type ➔ lacks availability-impact ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="categorization-has-system-attribute">categorization-has-system-attribute</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type categorization must have a system attribute.</span></div><div>👎 <span class="diagnostic" title="categorization-has-system-attribute-diagnostic">A FedRAMP OSCAL SSP information-type categorization lacks a system | |
| attribute.</span></div><div>context: <code>oscal:categorization</code></div><div>test: <code>@system</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a categorization ➔ has a system attribute ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a categorization ➔ lacks a system attribute ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="categorization-has-correct-system-attribute">categorization-has-correct-system-attribute</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type categorization must have a correct system | |
| attribute.</span></div><div>👎 <span class="diagnostic" title="categorization-has-correct-system-attribute-diagnostic">A FedRAMP OSCAL SSP information-type categorization lacks a correct system | |
| attribute. The correct value is "https://doi.org/10.6028/NIST.SP.800-60v2r1".</span></div><div>context: <code>oscal:categorization</code></div><div>test: <code>@system = 'https://doi.org/10.6028/NIST.SP.800-60v2r1'</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a categorization ➔ has a correct system attribute ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a categorization ➔ lacks a correct system attribute ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="categorization-has-information-type-id">categorization-has-information-type-id</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type categorization must have at least one information type | |
| identifier.</span></div><div>👎 <span class="diagnostic" title="categorization-has-information-type-id-diagnostic">A FedRAMP OSCAL SSP information-type categorization lacks at least one | |
| information-type-id.</span></div><div>context: <code>oscal:categorization</code></div><div>test: <code>oscal:information-type-id</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a categorization ➔ has an information-type-id ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a categorization ➔ lacks information-type-id ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="has-allowed-information-type-id">has-allowed-information-type-id</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type identifier must be chosen from those found in NIST SP | |
| 800-60v2r1.</span></div><div>👎 <span class="diagnostic" title="has-allowed-information-type-id-diagnostic">A FedRAMP OSCAL SSP information-type-id lacks a SP 800-60v2r1 identifier.</span></div><div>context: <code>oscal:information-type-id</code></div><div>test: <code>current()[. = $information-types]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a categorization ➔ has an allowed information-type-id ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a categorization ➔ lacks an allowed information-type-id ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="cia-impact-has-base">cia-impact-has-base</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type confidentiality, integrity, or availability impact must specify the base | |
| impact.</span></div><div>👎 <span class="diagnostic" title="cia-impact-has-base-diagnostic">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact lacks a base | |
| element.</span></div><div>context: <code>oscal:confidentiality-impact | oscal:integrity-impact | oscal:availability-impact</code></div><div>test: <code>oscal:base</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a information-type confidentiality-, integrity-, or availability-impact ➔ has a base ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a information-type confidentiality-, integrity-, or availability-impact ➔ lacks base ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="cia-impact-has-selected">cia-impact-has-selected</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP information type confidentiality, integrity, or availability impact must the selected | |
| impact.</span></div><div>👎 <span class="diagnostic" title="cia-impact-has-selected-diagnostic">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact lacks a | |
| selected element.</span></div><div>context: <code>oscal:confidentiality-impact | oscal:integrity-impact | oscal:availability-impact</code></div><div>test: <code>oscal:selected</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a information-type confidentiality-, integrity-, or availability-impact ➔ has a selected ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a information-type confidentiality-, integrity-, or availability-impact ➔ lacks selected ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="cia-impact-has-approved-fips-categorization">cia-impact-has-approved-fips-categorization</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must indicate for its information system the appropriate categorization for the respective | |
| confidentiality, integrity, impact levels of its information types (per FIPS-199).</span></div><div>👎 <span class="diagnostic" title="cia-impact-has-approved-fips-categorization-diagnostic">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or | |
| availability-impact base or select element lacks an approved value.</span></div><div>context: <code>oscal:base | oscal:selected</code></div><div>test: <code>. = $fips-199-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a information-type confidentiality-, integrity-, or availability-impact ➔ base element ➔ has an approved value ➔ selected element ➔ has an approved value ➔ that is correct ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types ➔ when a information-type confidentiality-, integrity-, or availability-impact ➔ base element ➔ lacks an approved value ➔ selected element ➔ lacks an approved value ➔ that is an error ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.3</div><div>FedRAMP template-reference: System Security Plan Template §2.1</div></td></tr><tr><td><div id="has-security-eauth-level">has-security-eauth-level</div></td><td><div>👍 <span class="assertion"> [Section B | |
| Check 3.3, Section C Check 7] A FedRAMP SSP must have a Digital Identity Determination property.</span></div><div>👎 <span class="diagnostic" title="has-security-eauth-level-diagnostic">This FedRAMP OSCAL SSP lacks a Digital Identity Determination property.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'security-eauth' and @name = 'security-eauth-level']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ has a security-eauth-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ lacks a security-eauth-level ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.3, Section C Check 7</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>FedRAMP template-reference: System Security Plan Template §2.3</div></td></tr><tr><td><div id="has-identity-assurance-level">has-identity-assurance-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP may have a Digital | |
| Identity Determination identity assurance level property.</span></div><div>👎 <span class="diagnostic" title="has-identity-assurance-level-diagnostic">A FedRAMP OSCAL SSP may lack a Digital Identity Determination identity-assurance-level | |
| property.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'identity-assurance-level']</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ has a identity-assurance-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ lacks a identity-assurance-level ➔ that is acceptable</div><div>FedRAMP checklist-reference: Section B Check 3.3, Section C Check 7</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>FedRAMP template-reference: System Security Plan Template §2.3</div></td></tr><tr><td><div id="has-authenticator-assurance-level">has-authenticator-assurance-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP may have a Digital | |
| Identity Determination authenticator assurance level property.</span></div><div>👎 <span class="diagnostic" title="has-authenticator-assurance-level-diagnostic">A FedRAMP OSCAL SSP may lack a Digital Identity Determination | |
| authenticator-assurance-level property.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'authenticator-assurance-level']</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ has a authenticator-assurance-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ lacks a authenticator-assurance-level ➔ that is acceptable</div><div>FedRAMP checklist-reference: Section B Check 3.3, Section C Check 7</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>FedRAMP template-reference: System Security Plan Template §2.3</div></td></tr><tr><td><div id="has-federation-assurance-level">has-federation-assurance-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP may have a Digital | |
| Identity Determination federation assurance level property.</span></div><div>👎 <span class="diagnostic" title="has-federation-assurance-level-diagnostic">A FedRAMP OSCAL SSP may lack a Digital Identity Determination federation-assurance-level | |
| property.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'federation-assurance-level']</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ has a federation-assurance-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ lacks a federation-assurance-level ➔ that is acceptable</div><div>FedRAMP checklist-reference: Section B Check 3.3, Section C Check 7</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>FedRAMP template-reference: System Security Plan Template §2.3</div></td></tr><tr><td><div id="has-allowed-security-eauth-level">has-allowed-security-eauth-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP must have a Digital Identity Determination | |
| property with an allowed value.</span></div><div>👎 <span class="diagnostic" title="has-allowed-security-eauth-level-diagnostic">This FedRAMP OSCAL SSP lacks a Digital Identity Determination property with an allowed | |
| value.</span></div><div>context: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'security-eauth' and @name = 'security-eauth-level']</code></div><div>test: <code>@value = $eauth-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ has an allowed security-eauth-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ lacks an allowed security-eauth-level ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.3, Section C Check 7</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>FedRAMP template-reference: System Security Plan Template §2.3</div></td></tr><tr><td><div id="has-allowed-identity-assurance-level">has-allowed-identity-assurance-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP should have an allowed Digital | |
| Identity Determination identity assurance level.</span></div><div>👎 <span class="diagnostic" title="has-allowed-identity-assurance-level-diagnostic">A FedRAMP OSCAL SSP may lack an allowed Digital Identity Determination | |
| identity-assurance-level property.</span></div><div>context: <code>oscal:prop[@name = 'identity-assurance-level']</code></div><div>test: <code>@value = $identity-assurance-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ has an allowed identity-assurance-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ lacks an allowed identity-assurance-level ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.3, Section C Check 7</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>FedRAMP template-reference: System Security Plan Template §2.3</div></td></tr><tr><td><div id="has-allowed-authenticator-assurance-level">has-allowed-authenticator-assurance-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP should have an allowed Digital | |
| Identity Determination authenticator assurance level.</span></div><div>👎 <span class="diagnostic" title="has-allowed-authenticator-assurance-level-diagnostic">A FedRAMP OSCAL SSP may lack an allowed Digital Identity Determination | |
| authenticator-assurance-level property.</span></div><div>context: <code>oscal:prop[@name = 'authenticator-assurance-level']</code></div><div>test: <code>@value = $authenticator-assurance-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ has an allowed authenticator-assurance-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ lacks an allowed authenticator-assurance-level ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.3, Section C Check 7</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>FedRAMP template-reference: System Security Plan Template §2.3</div></td></tr><tr><td><div id="has-allowed-federation-assurance-level">has-allowed-federation-assurance-level</div></td><td><div>👍 <span class="assertion">[Section B Check 3.3, Section C Check 7] A FedRAMP SSP should have an allowed Digital | |
| Identity Determination federation assurance level.</span></div><div>👎 <span class="diagnostic" title="has-allowed-federation-assurance-level-diagnostic">A FedRAMP OSCAL SSP may lack an allowed Digital Identity Determination | |
| federation-assurance-level property.</span></div><div>context: <code>oscal:prop[@name = 'federation-assurance-level']</code></div><div>test: <code>@value = $federation-assurance-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ has an allowed federation-assurance-level ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination ➔ when a system-characteristics ➔ lacks an allowed federation-assurance-level ➔ that is an error</div><div>FedRAMP checklist-reference: Section B Check 3.3, Section C Check 7</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.5</div><div>FedRAMP template-reference: System Security Plan Template §2.3</div></td></tr><tr><td><div id="has-inventory-items">has-inventory-items</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must incorporate inventory items.</span></div><div>👎 <span class="diagnostic" title="has-inventory-items-diagnostic">This FedRAMP OSCAL SSP lacks inventory-item elements.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-implementation</code></div><div>test: <code>oscal:inventory-item</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the system-implementation ➔ has inventory items ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the system-implementation ➔ lacks inventory items ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-unique-asset-id">has-unique-asset-id</div></td><td><div>👍 <span class="assertion">Every asset identifier must be unique.</span></div><div>👎 <span class="diagnostic" title="has-unique-asset-id-diagnostic">This asset id <span class="substitution"><sch:value-of select="@asset-id"/></span> is not unique. An asset id must be unique within the scope of a FedRAMP OSCAL SSP document.</span></div><div>context: <code>oscal:prop[@name = 'asset-id']</code></div><div>test: <code>count(//oscal:prop[@name = 'asset-id'][@value = current()/@value]) = 1</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ asset-id must be unique. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ asset-id must be unique. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-allowed-asset-type">has-allowed-asset-type</div></td><td><div>👍 <span class="assertion">An asset type must have an allowed value.</span></div><div>👎 <span class="diagnostic" title="has-allowed-asset-type-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> should have a FedRAMP asset type <span class="substitution"><sch:value-of select="string-join($asset-types, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div><div>context: <code>oscal:prop[@name = 'asset-type']</code></div><div>test: <code>@value = $asset-types</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ asset-type property has an allowed value. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ asset-type property has an allowed value. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-allowed-virtual">has-allowed-virtual</div></td><td><div>👍 <span class="assertion">A virtual property must have an allowed value.</span></div><div>👎 <span class="diagnostic" title="has-allowed-virtual-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($virtuals, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div><div>context: <code>oscal:prop[@name = 'virtual']</code></div><div>test: <code>@value = $virtuals</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ virtual property has an allowed value. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ virtual property has an allowed value. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-allowed-public">has-allowed-public</div></td><td><div>👍 <span class="assertion">A public property must have an allowed value.</span></div><div>👎 <span class="diagnostic" title="has-allowed-public-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($publics, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div><div>context: <code>oscal:prop[@name = 'public']</code></div><div>test: <code>@value = $publics</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ public property has an allowed value. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ public property has an allowed value. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-allowed-allows-authenticated-scan">has-allowed-allows-authenticated-scan</div></td><td><div>👍 <span class="assertion">An allows-authenticated-scan property has an allowed value.</span></div><div>👎 <span class="diagnostic" title="has-allowed-allows-authenticated-scan-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($allows-authenticated-scans, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div><div>context: <code>oscal:prop[@name = 'allows-authenticated-scan']</code></div><div>test: <code>@value = $allows-authenticated-scans</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ allows-authenticated-scan property has an allowed value. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ allows-authenticated-scan property has an allowed value. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-allowed-is-scanned">has-allowed-is-scanned</div></td><td><div>👍 <span class="assertion">is-scanned property must have an allowed value.</span></div><div>👎 <span class="diagnostic" title="has-allowed-is-scanned-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($is-scanneds, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div><div>context: <code>oscal:prop[@name = 'is-scanned']</code></div><div>test: <code>@value = $is-scanneds</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ is-scanned property has an allowed value. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ is-scanned property has an allowed value. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-allowed-scan-type">has-allowed-scan-type</div></td><td><div>👍 <span class="assertion">A scan-type property must have an allowed value.</span></div><div>👎 <span class="diagnostic" title="has-allowed-scan-type-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed value <span class="substitution"><sch:value-of select="string-join($scan-types, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@value"/></span>").</span></div><div>context: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'scan-type']</code></div><div>test: <code>@value = $scan-types</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ scan-type property has an allowed value. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ scan-type property has an allowed value. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="component-has-allowed-type">component-has-allowed-type</div></td><td><div>👍 <span class="assertion">A component must have an allowed type.</span></div><div>👎 <span class="diagnostic" title="component-has-allowed-type-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> must have an allowed component type <span class="substitution"><sch:value-of select="string-join($component-types, ' ∨ ')"/></span> (not " <span class="substitution"><sch:value-of select="@type"/></span>").</span></div><div>context: <code>oscal:component</code></div><div>test: <code>@type = $component-types</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ component has an allowed type. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ component has an allowed type. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="component-has-asset-type">component-has-asset-type</div></td><td><div>👍 <span class="assertion">A component must have an asset type.</span></div><div>👎 <span class="diagnostic" title="component-has-asset-type-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> lacks an asset-type property.</span></div><div>context: <code>oscal:component</code></div><div>test: <code> (: not(@uuid = //oscal:inventory-item/oscal:implemented-component/@component-uuid) or :) oscal:prop[@name = 'asset-type']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ component has an asset type. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ component has an asset type. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="component-has-one-asset-type">component-has-one-asset-type</div></td><td><div>👍 <span class="assertion">A component must have only one asset type.</span></div><div>👎 <span class="diagnostic" title="component-has-one-asset-type-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> has more than one asset-type property.</span></div><div>context: <code>oscal:component</code></div><div>test: <code>not(oscal:prop[@name = 'asset-type'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ component has only one asset type. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ component has only one asset type. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-uuid">inventory-item-has-uuid</div></td><td><div>👍 <span class="assertion">An inventory item has a unique identifier.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-uuid-diagnostic">This inventory-item lacks a uuid attribute.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>@uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has a uuid attribute ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ lacks a uuid attribute ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-asset-id">has-asset-id</div></td><td><div>👍 <span class="assertion">An inventory item must have an asset identifier.</span></div><div>👎 <span class="diagnostic" title="has-asset-id-diagnostic">This inventory-item lacks an asset-id property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'asset-id']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has an asset-id. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has an asset-id. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-one-asset-id">has-one-asset-id</div></td><td><div>👍 <span class="assertion">An inventory item must have only one asset identifier.</span></div><div>👎 <span class="diagnostic" title="has-one-asset-id-diagnostic">This inventory-item has more than one asset-id property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'asset-id'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one asset-id. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one asset-id. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-asset-type">inventory-item-has-asset-type</div></td><td><div>👍 <span class="assertion">An inventory item must have an asset-type.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-asset-type-diagnostic">This inventory-item lacks an asset-type property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'asset-type']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has an asset-type ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ lacks an asset-type ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-asset-type">inventory-item-has-one-asset-type</div></td><td><div>👍 <span class="assertion">An inventory item must have only one asset-type.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-asset-type-diagnostic">This inventory-item has more than one asset-type property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'asset-type'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one asset-type. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one asset-type. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-virtual">inventory-item-has-virtual</div></td><td><div>👍 <span class="assertion">An inventory item must have a virtual property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-virtual-diagnostic">This inventory-item lacks a virtual property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'virtual']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has a virtual property ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ lacks a virtual property ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-virtual">inventory-item-has-one-virtual</div></td><td><div>👍 <span class="assertion">An inventory item must have only one virtual property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-virtual-diagnostic">This inventory-item has more than one virtual property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'virtual'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one virtual property. ➔ affirmative ➔ has only one virtual property. ➔ affirmative ➔ correct ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one virtual property. ➔ negative ➔ has only one virtual property. ➔ negative ➔ error ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-public">inventory-item-has-public</div></td><td><div>👍 <span class="assertion">An inventory item must have a public property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-public-diagnostic">This inventory-item lacks a public property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'public']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has a public property ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ lacks a public property ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-public">inventory-item-has-one-public</div></td><td><div>👍 <span class="assertion">An inventory item must have only one public property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-public-diagnostic">This inventory-item has more than one public property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'public'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one public property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one public property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-scan-type">inventory-item-has-scan-type</div></td><td><div>👍 <span class="assertion">An inventory item must have a scan-type property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-scan-type-diagnostic">This inventory-item lacks a scan-type property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'scan-type']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has scan-type property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has scan-type property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-scan-type">inventory-item-has-one-scan-type</div></td><td><div>👍 <span class="assertion">An inventory item has only one scan-type property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-scan-type-diagnostic">This inventory-item has more than one scan-type property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'scan-type'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one scan-type property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one scan-type property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-allows-authenticated-scan">inventory-item-has-allows-authenticated-scan</div></td><td><div>👍 <span class="assertion">"infrastructure" inventory item has | |
| allows-authenticated-scan.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-allows-authenticated-scan-diagnostic">This inventory-item lacks allows-authenticated-scan | |
| property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or oscal:prop[@name = 'allows-authenticated-scan']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has a allows-authenticated-scan property ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ lacks a allows-authenticated-scan property ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-allows-authenticated-scan">inventory-item-has-one-allows-authenticated-scan</div></td><td><div>👍 <span class="assertion">An inventory item has | |
| one-allows-authenticated-scan property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-allows-authenticated-scan-diagnostic">This inventory-item has more than one allows-authenticated-scan | |
| property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or not(oscal:prop[@name = 'allows-authenticated-scan'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one one-allows-authenticated-scan property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has only one one-allows-authenticated-scan property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-baseline-configuration-name">inventory-item-has-baseline-configuration-name</div></td><td><div>👍 <span class="assertion">"infrastructure" inventory item has | |
| baseline-configuration-name.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-baseline-configuration-name-diagnostic">This inventory-item lacks baseline-configuration-name | |
| property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or oscal:prop[@name = 'baseline-configuration-name']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has a baseline-configuration-name property ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ lacks a baseline-configuration-name property ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-baseline-configuration-name">inventory-item-has-one-baseline-configuration-name</div></td><td><div>👍 <span class="assertion">"infrastructure" inventory item has only | |
| one baseline-configuration-name.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-baseline-configuration-name-diagnostic">This inventory-item has more than one baseline-configuration-name | |
| property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or not(oscal:prop[@name = 'baseline-configuration-name'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has only one baseline-configuration-name. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has only one baseline-configuration-name. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-vendor-name">inventory-item-has-vendor-name</div></td><td><div>👍 <span class="assertion"> "infrastructure" | |
| inventory item has a vendor-name property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-vendor-name-diagnostic">This inventory-item lacks a vendor-name property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or oscal:prop[(: @ns = 'https://fedramp.gov/ns/oscal' and :)@name = 'vendor-name']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ has a vendor-name property ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ lacks a vendor-name property ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-vendor-name">inventory-item-has-one-vendor-name</div></td><td><div>👍 <span class="assertion"> | |
| "infrastructure" inventory item must have only one vendor-name property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-vendor-name-diagnostic">This inventory-item has more than one vendor-name property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or not(oscal:prop[(: @ns = 'https://fedramp.gov/ns/oscal' and :)@name = 'vendor-name'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has only one vendor-name property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has only one vendor-name property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-hardware-model">inventory-item-has-hardware-model</div></td><td><div>👍 <span class="assertion"> "infrastructure" | |
| inventory item must have a hardware-model property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-hardware-model-diagnostic">This inventory-item lacks a hardware-model property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or oscal:prop[(: @ns = 'https://fedramp.gov/ns/oscal' and :)@name = 'hardware-model']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has a hardware-model property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has a hardware-model property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-hardware-model">inventory-item-has-one-hardware-model</div></td><td><div>👍 <span class="assertion"> | |
| "infrastructure" inventory item must have only one hardware-model property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-hardware-model-diagnostic">This inventory-item has more than one hardware-model property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or not(oscal:prop[(: @ns = 'https://fedramp.gov/ns/oscal' and :)@name = 'hardware-model'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has only one hardware-model property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has only one hardware-model property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-is-scanned">inventory-item-has-is-scanned</div></td><td><div>👍 <span class="assertion">"infrastructure" inventory item must have is-scanned | |
| property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-is-scanned-diagnostic">This inventory-item lacks is-scanned property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or oscal:prop[@name = 'is-scanned']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has is-scanned property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has is-scanned property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-is-scanned">inventory-item-has-one-is-scanned</div></td><td><div>👍 <span class="assertion">"infrastructure" inventory item must have only one | |
| is-scanned property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-is-scanned-diagnostic">This inventory-item has more than one is-scanned property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-infrastructure) or not(oscal:prop[@name = 'is-scanned'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has only one is-scanned property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "infrastructure" asset-type has only one is-scanned property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-software-name">inventory-item-has-software-name</div></td><td><div>👍 <span class="assertion">"software or database" inventory item must have a | |
| software-name property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-software-name-diagnostic">This inventory-item lacks software-name property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-software-and-database) or oscal:prop[@name = 'software-name']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has software-name property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has software-name property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-software-name">inventory-item-has-one-software-name</div></td><td><div>👍 <span class="assertion">"software or database" inventory item must have a | |
| software-name property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-software-name-diagnostic">This inventory-item has more than one software-name property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-software-and-database) or not(oscal:prop[@name = 'software-name'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has one software-name property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has one software-name property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-software-version">inventory-item-has-software-version</div></td><td><div>👍 <span class="assertion">"software or database" inventory item must have a | |
| software-version property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-software-version-diagnostic">This inventory-item lacks software-version property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-software-and-database) or oscal:prop[@name = 'software-version']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has software-version property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has software-version property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-software-version">inventory-item-has-one-software-version</div></td><td><div>👍 <span class="assertion">"software or database" inventory item must | |
| have one software-version property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-software-version-diagnostic">This inventory-item has more than one software-version property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-software-and-database) or not(oscal:prop[@name = 'software-version'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has one software-version property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has one software-version property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-function">inventory-item-has-function</div></td><td><div>👍 <span class="assertion">"software or database" inventory item must have a function | |
| property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-function-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> "<span class="substitution"><sch:value-of select="oscal:prop[@name = 'asset-type']/@value"/></span>" lacks function property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-software-and-database) or oscal:prop[@name = 'function']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has function property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has function property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="inventory-item-has-one-function">inventory-item-has-one-function</div></td><td><div>👍 <span class="assertion">"software or database" inventory item must have one | |
| function property.</span></div><div>👎 <span class="diagnostic" title="inventory-item-has-one-function-diagnostic"><span class="substitution"><sch:value-of select="name()"/></span> "<span class="substitution"><sch:value-of select="oscal:prop[@name = 'asset-type']/@value"/></span>" has more than one function property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not($is-software-and-database) or not(oscal:prop[@name = 'function'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has one function property. ➔ affirmative ➔ correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory ➔ when the inventory-item ➔ "software or database" asset-type has one function property. ➔ negative ➔ error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §6.5</div><div>FedRAMP template-reference: System Security Plan Template §15 Attachment 13</div></td></tr><tr><td><div id="has-this-system-component">has-this-system-component</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must have a self-referential (i.e., to the SSP itself) | |
| component.</span></div><div>👎 <span class="diagnostic" title="has-this-system-component-diagnostic">This FedRAMP OSCAL SSP lacks a "this-system" component.</span></div><div>context: <code>oscal:system-implementation</code></div><div>test: <code>exists(oscal:component[@type = 'this-system'])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Affirmative test: ➔ The this-system component must be defined. ➔ When it is ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Negative test: ➔ The this-system component must be defined. ➔ When it is not ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.4.6</div></td></tr><tr><td><div id="has-system-id">has-system-id</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must have a FedRAMP system identifier.</span></div><div>👎 <span class="diagnostic" title="has-system-id-diagnostic">This FedRAMP OSCAL SSP lacks a FedRAMP system-id.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:system-id[@identifier-type = 'https://fedramp.gov']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Affirmative test: ➔ The system-id must be defined. ➔ When it is ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Negative test: ➔ The system-id must be defined. ➔ When it is not ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.1</div><div>FedRAMP template-reference: System Security Plan Template §1</div></td></tr><tr><td><div id="has-system-name">has-system-name</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must have a system name.</span></div><div>👎 <span class="diagnostic" title="has-system-name-diagnostic">This FedRAMP OSCAL SSP lacks a system-name.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:system-name</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Affirmative test: ➔ The system-name must be defined. ➔ When it is ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Negative test: ➔ The system-name must be defined. ➔ When it is not ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.1</div><div>FedRAMP template-reference: System Security Plan Template §1</div></td></tr><tr><td><div id="has-system-name-short">has-system-name-short</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must have a short system name.</span></div><div>👎 <span class="diagnostic" title="has-system-name-short-diagnostic">This FedRAMP OSCAL SSP lacks a system-name-short.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:system-name-short</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Affirmative test: ➔ The system-name-short must be defined. ➔ When it is ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Negative test: ➔ The system-name-short must be defined. ➔ When it is not ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.1</div><div>FedRAMP template-reference: System Security Plan Template §1</div></td></tr><tr><td><div id="has-fedramp-authorization-type">has-fedramp-authorization-type</div></td><td><div>👍 <span class="assertion"> | |
| A FedRAMP SSP must have a FedRAMP authorization type.</span></div><div>👎 <span class="diagnostic" title="has-fedramp-authorization-type-diagnostic">This FedRAMP OSCAL SSP lacks a FedRAMP authorization type.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'authorization-type' and @value = ('fedramp-jab', 'fedramp-agency', 'fedramp-li-saas')]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Affirmative test: ➔ The fedramp-authorization-type must be defined. ➔ When it is ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Characteristics ➔ Negative test: ➔ The fedramp-authorization-type must be defined. ➔ When it is not ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.2</div></td></tr><tr><td><div id="role-defined-system-owner">role-defined-system-owner</div></td><td><div>👍 <span class="assertion">The System Owner role must be defined.</span></div><div>👎 <span class="diagnostic" title="role-defined-system-owner-diagnostic">The system-owner role is missing.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>oscal:role[@id = 'system-owner']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ The system-owner role must be defined. ➔ When it is ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ The system-owner role must be defined. ➔ When it is not ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.6</div><div>FedRAMP template-reference: System Security Plan Template §3</div></td></tr><tr><td><div id="role-defined-authorizing-official">role-defined-authorizing-official</div></td><td><div>👍 <span class="assertion">The Authorizing Official role must be defined.</span></div><div>👎 <span class="diagnostic" title="role-defined-authorizing-official-diagnostic">The authorizing-official role is missing.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>oscal:role[@id = 'authorizing-official']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ The authorizing-official role must be defined. ➔ When it is ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ The authorizing-official role must be defined. ➔ When it is not ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.7</div><div>FedRAMP template-reference: System Security Plan Template §4</div></td></tr><tr><td><div id="role-defined-system-poc-management">role-defined-system-poc-management</div></td><td><div>👍 <span class="assertion">The System Management PoC role must be defined.</span></div><div>👎 <span class="diagnostic" title="role-defined-system-poc-management-diagnostic">The system-poc-management role is missing.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>oscal:role[@id = 'system-poc-management']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ The system-poc-management role must be defined. ➔ When it is ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ The system-poc-management role must be defined. ➔ When it is not ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.8</div><div>FedRAMP template-reference: System Security Plan Template §5</div></td></tr><tr><td><div id="role-defined-system-poc-technical">role-defined-system-poc-technical</div></td><td><div>👍 <span class="assertion">The System Technical PoC role must be defined.</span></div><div>👎 <span class="diagnostic" title="role-defined-system-poc-technical-diagnostic">The system-poc-technical role is missing.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>oscal:role[@id = 'system-poc-technical']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ The system-poc-technical role must be defined. ➔ When it is ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ The system-poc-technical role must be defined. ➔ When it is not ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.9</div><div>FedRAMP template-reference: System Security Plan Template §5</div></td></tr><tr><td><div id="role-defined-system-poc-other">role-defined-system-poc-other</div></td><td><div>👍 <span class="assertion">The System Other PoC role must be defined.</span></div><div>👎 <span class="diagnostic" title="role-defined-system-poc-other-diagnostic">The system-poc-other role is missing.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>oscal:role[@id = 'system-poc-other']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ The system-poc-other role must be defined. ➔ When it is ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ The system-poc-other role must be defined. ➔ When it is not ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.9</div><div>FedRAMP template-reference: System Security Plan Template §5</div></td></tr><tr><td><div id="role-defined-information-system-security-officer">role-defined-information-system-security-officer</div></td><td><div>👍 <span class="assertion">The Information System Security Officer role must be | |
| defined.</span></div><div>👎 <span class="diagnostic" title="role-defined-information-system-security-officer-diagnostic">The information-system-security-officer role is missing.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>oscal:role[@id = 'information-system-security-officer']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ The information-system-security-officer role must be defined. ➔ When it is ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ The information-system-security-officer role must be defined. ➔ When it is not ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.10</div><div>FedRAMP template-reference: System Security Plan Template §6</div></td></tr><tr><td><div id="role-defined-authorizing-official-poc">role-defined-authorizing-official-poc</div></td><td><div>👍 <span class="assertion">The Authorizing Official PoC role must be defined.</span></div><div>👎 <span class="diagnostic" title="role-defined-authorizing-official-poc-diagnostic">The authorizing-official-poc role is missing.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>oscal:role[@id = 'authorizing-official-poc']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ The authorizing-official-poc role must be defined. ➔ When it is ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ The authorizing-official-poc role must be defined. ➔ When it is not ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.11</div><div>FedRAMP template-reference: System Security Plan Template §6</div></td></tr><tr><td><div id="role-has-title">role-has-title</div></td><td><div>👍 <span class="assertion">A role must have a title.</span></div><div>👎 <span class="diagnostic" title="role-has-title-diagnostic">This role lacks a title.</span></div><div>context: <code>oscal:role</code></div><div>test: <code>oscal:title</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ A role must have a title. ➔ When it does ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ A role must have a title. ➔ When it does not ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.6-§4.10</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="role-has-responsible-party">role-has-responsible-party</div></td><td><div>👍 <span class="assertion">One or more responsible parties must be defined for each role.</span></div><div>👎 <span class="diagnostic" title="role-has-responsible-party-diagnostic">This role has no responsible parties.</span></div><div>context: <code>oscal:role</code></div><div>test: <code>//oscal:responsible-party[@role-id = current()/@id]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ One or more responsible parties must be defined for each role. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ One or more responsible parties must be defined for each role. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.6-§4.10</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="responsible-party-has-person">responsible-party-has-person</div></td><td><div>👍 <span class="assertion">Each responsible party must identify a person using that | |
| person's unique identifier.</span></div><div>👎 <span class="diagnostic" title="responsible-party-has-person-diagnostic">This responsible-party party-uuid does not identify a person.</span></div><div>context: <code>oscal:responsible-party</code></div><div>test: <code>//oscal:party[@uuid = current()/oscal:party-uuid and @type = 'person']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ Each responsible-party party-uuid must identify a person. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ Each responsible-party party-uuid must identify a person. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.6-§4.10</div></td></tr><tr><td><div id="party-has-responsibility">party-has-responsibility</div></td><td><div>👍 <span class="assertion">Each person should have a responsibility.</span></div><div>👎 <span class="diagnostic" title="party-has-responsibility-diagnostic">This person has no responsibility.</span></div><div>context: <code>oscal:party[@type = 'person']</code></div><div>test: <code>//oscal:responsible-party[oscal:party-uuid = current()/@uuid]</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ Each person should have a responsibility. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ Each person should have a responsibility. ➔ When that is false ➔ that is an anomaly.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.6-§4.10</div></td></tr><tr><td><div id="implemented-requirement-has-responsible-role">implemented-requirement-has-responsible-role</div></td><td><div>👍 <span class="assertion">Each implemented control must have one or more responsible-role definitions.</span></div><div>👎 <span class="diagnostic" title="implemented-requirement-has-responsible-role-diagnostic">This implemented-requirement lacks a responsible-role | |
| definition.</span></div><div>context: <code>oscal:implemented-requirement</code></div><div>test: <code>oscal:responsible-role</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ Each implemented-requirement must have one or more responsible-role definitions. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ Each implemented-requirement must have one or more responsible-role definitions. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.2</div></td></tr><tr><td><div id="responsible-role-has-role-definition">responsible-role-has-role-definition</div></td><td><div>👍 <span class="assertion">Each responsible-role must reference a role definition.</span></div><div>👎 <span class="diagnostic" title="responsible-role-has-role-definition-diagnostic">This responsible-role references a non-existent role definition.</span></div><div>context: <code>oscal:responsible-role</code></div><div>test: <code>//oscal:role/@id = current()/@role-id</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ Each responsible-role must reference a role definition. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ Each responsible-role must reference a role definition. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.2</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="responsible-role-has-user">responsible-role-has-user</div></td><td><div>👍 <span class="assertion">Each responsible-role must be referenced in a system-implementation user | |
| assembly.</span></div><div>👎 <span class="diagnostic" title="responsible-role-has-user-diagnostic">This responsible-role lacks a system-implementation user assembly.</span></div><div>context: <code>oscal:responsible-role</code></div><div>test: <code>//oscal:role-id = current()/@role-id</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ Each responsible-role must be referenced in a system-implementation user assembly. ➔ When it is ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ Each responsible-role must be referenced in a system-implementation user assembly. ➔ When it is not ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.2</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="user-has-role-id">user-has-role-id</div></td><td><div>👍 <span class="assertion">Every user has a role identifier.</span></div><div>👎 <span class="diagnostic" title="user-has-role-id-diagnostic">This user lacks a role-id.</span></div><div>context: <code>oscal:user</code></div><div>test: <code>oscal:role-id</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Every user has a role-id. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Every user has a role-id. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="user-has-user-type">user-has-user-type</div></td><td><div>👍 <span class="assertion">Every user has a user type.</span></div><div>👎 <span class="diagnostic" title="user-has-user-type-diagnostic">This user lacks a user type property.</span></div><div>context: <code>oscal:user</code></div><div>test: <code>oscal:prop[@name = 'type']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Every user has a user type property. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Every user has a user type property. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="user-has-privilege-level">user-has-privilege-level</div></td><td><div>👍 <span class="assertion">Every user has a privilege-level.</span></div><div>👎 <span class="diagnostic" title="user-has-privilege-level-diagnostic">This user lacks a privilege-level property.</span></div><div>context: <code>oscal:user</code></div><div>test: <code>oscal:prop[@name = 'privilege-level']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Every user has a privilege type property. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Every user has a privilege type property. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="user-has-sensitivity-level">user-has-sensitivity-level</div></td><td><div>👍 <span class="assertion">Every user has a sensitivity level.</span></div><div>👎 <span class="diagnostic" title="user-has-sensitivity-level-diagnostic">This user lacks a sensitivity level property.</span></div><div>context: <code>oscal:user</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal'][@name = 'sensitivity']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Every user has a sensitivity level property. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Every user has a sensitivity level property. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="user-has-authorized-privilege">user-has-authorized-privilege</div></td><td><div>👍 <span class="assertion">Every user has one or more authorized privileges.</span></div><div>👎 <span class="diagnostic" title="user-has-authorized-privilege-diagnostic">This user lacks one or more authorized-privileges.</span></div><div>context: <code>oscal:user</code></div><div>test: <code>oscal:authorized-privilege</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Every user has one or more authorized-privileges. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Every user has one or more authorized-privileges. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="role-id-has-role-definition">role-id-has-role-definition</div></td><td><div>👍 <span class="assertion">Each identified role must reference a role definition.</span></div><div>👎 <span class="diagnostic" title="role-id-has-role-definition-diagnostic">This role-id references a non-existent role definition.</span></div><div>context: <code>oscal:user/oscal:role-id</code></div><div>test: <code>//oscal:role[@id = current()]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Roles ➔ affirmative ➔ Each role-id must reference a role definition. ➔ When it does ➔ FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Each role-id must reference a role definition. ➔ When that is true ➔ that is correct. ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Roles ➔ negative ➔ Each role-id must reference a role definition. ➔ When it does not ➔ FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Each role-id must reference a role definition. ➔ When that is false ➔ that is an error. ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="user-user-type-has-allowed-value">user-user-type-has-allowed-value</div></td><td><div>👍 <span class="assertion">User type property has an allowed value.</span></div><div>👎 <span class="diagnostic" title="user-user-type-has-allowed-value-diagnostic">This user type property lacks an allowed value.</span></div><div>context: <code>oscal:user/oscal:prop[@name = 'type']</code></div><div>test: <code>current()/@value = $user-types</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ User type property has an allowed value. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ User type property has an allowed value. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="user-privilege-level-has-allowed-value">user-privilege-level-has-allowed-value</div></td><td><div>👍 <span class="assertion">User privilege level has an allowed value.</span></div><div>👎 <span class="diagnostic" title="user-privilege-level-has-allowed-value-diagnostic">User privilege-level property has an allowed value.</span></div><div>context: <code>oscal:user/oscal:prop[@name = 'privilege-level']</code></div><div>test: <code>current()/@value = $user-privilege-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ User privilege type property has an allowed value. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ User privilege type property has an allowed value. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="user-sensitivity-level-has-allowed-value">user-sensitivity-level-has-allowed-value</div></td><td><div>👍 <span class="assertion">User sensitivity level has an allowed value.</span></div><div>👎 <span class="diagnostic" title="user-sensitivity-level-has-allowed-value-diagnostic">This user sensitivity level property lacks an allowed value.</span></div><div>context: <code>oscal:user/oscal:prop[@ns = 'https://fedramp.gov/ns/oscal'][@name = 'sensitivity']</code></div><div>test: <code>current()/@value = $user-sensitivity-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ User sensitivity level property has an allowed value. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ User sensitivity level property has an allowed value. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="authorized-privilege-has-title">authorized-privilege-has-title</div></td><td><div>👍 <span class="assertion">Every authorized privilege has a title.</span></div><div>👎 <span class="diagnostic" title="authorized-privilege-has-title-diagnostic">This authorized-privilege lacks a title.</span></div><div>context: <code>oscal:user/oscal:authorized-privilege</code></div><div>test: <code>oscal:title</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Every authorized-privilege has a title. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Every authorized-privilege has a title. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="authorized-privilege-has-function-performed">authorized-privilege-has-function-performed</div></td><td><div>👍 <span class="assertion">Every authorized privilege is associated with one or more functions performed.</span></div><div>👎 <span class="diagnostic" title="authorized-privilege-has-function-performed-diagnostic">This authorized-privilege lacks one or more | |
| function-performed.</span></div><div>context: <code>oscal:user/oscal:authorized-privilege</code></div><div>test: <code>oscal:function-performed</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Every authorized-privilege has one or more function-performed. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Every authorized-privilege has one or more function-performed. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="authorized-privilege-has-non-empty-title">authorized-privilege-has-non-empty-title</div></td><td><div>👍 <span class="assertion">Every authorized privilege title is not empty.</span></div><div>👎 <span class="diagnostic" title="authorized-privilege-has-non-empty-title-diagnostic">This authorized-privilege title is empty.</span></div><div>context: <code>oscal:authorized-privilege/oscal:title</code></div><div>test: <code>current() ne ''</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Every authorized-privilege title is non-empty. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Every authorized-privilege title is non-empty. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="authorized-privilege-has-non-empty-function-performed">authorized-privilege-has-non-empty-function-performed</div></td><td><div>👍 <span class="assertion">Every authorized privilege function performed has a definition.</span></div><div>👎 <span class="diagnostic" title="authorized-privilege-has-non-empty-function-performed-diagnostic">This authorized-privilege lacks a non-empty | |
| function-performed.</span></div><div>context: <code>oscal:authorized-privilege/oscal:function-performed</code></div><div>test: <code>current() ne ''</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ affirmative ➔ Every authorized-privilege has a non-empty function-performed. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP User-related unit tests ➔ negative ➔ Every authorized-privilege has a non-empty function-performed. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.18</div><div>FedRAMP template-reference: System Security Plan Template §9.3</div></td></tr><tr><td><div id="has-authorization-boundary">has-authorization-boundary</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP includes an authorization boundary.</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-diagnostic">This FedRAMP OSCAL SSP lacks an authorization-boundary in its | |
| system-characteristics.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:authorization-boundary</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP includes an authorization-boundary in its system-characteristics. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP includes an authorization-boundary in its system-characteristics. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-authorization-boundary-description">has-authorization-boundary-description</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP has an authorization boundary description.</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-description-diagnostic">This FedRAMP OSCAL SSP lacks an authorization-boundary | |
| description.</span></div><div>context: <code>oscal:authorization-boundary</code></div><div>test: <code>oscal:description</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP has an authorization-boundary description. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP has an authorization-boundary description. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-authorization-boundary-diagram">has-authorization-boundary-diagram</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP has at least one authorization boundary diagram.</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-diagram-diagnostic">This FedRAMP OSCAL SSP lacks at least one authorization-boundary | |
| diagram.</span></div><div>context: <code>oscal:authorization-boundary</code></div><div>test: <code>oscal:diagram</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP has at least one authorization-boundary diagram. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP has at least one authorization-boundary diagram. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-authorization-boundary-diagram-uuid">has-authorization-boundary-diagram-uuid</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a unique identifier.</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-diagram-uuid-diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a uuid | |
| attribute.</span></div><div>context: <code>oscal:authorization-boundary/oscal:diagram</code></div><div>test: <code>@uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a uuid attribute. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a uuid attribute. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-authorization-boundary-diagram-description">has-authorization-boundary-diagram-description</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a description.</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-diagram-description-diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a | |
| description.</span></div><div>context: <code>oscal:authorization-boundary/oscal:diagram</code></div><div>test: <code>oscal:description</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a description. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a description. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-authorization-boundary-diagram-link">has-authorization-boundary-diagram-link</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a link.</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-diagram-link-diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a | |
| link.</span></div><div>context: <code>oscal:authorization-boundary/oscal:diagram</code></div><div>test: <code>oscal:link</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a link. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a link. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-authorization-boundary-diagram-caption">has-authorization-boundary-diagram-caption</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a caption.</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-diagram-caption-diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a | |
| caption.</span></div><div>context: <code>oscal:authorization-boundary/oscal:diagram</code></div><div>test: <code>oscal:caption</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a caption. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a caption. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-authorization-boundary-diagram-link-rel">has-authorization-boundary-diagram-link-rel</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a link rel attribute.</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-diagram-link-rel-diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a link rel | |
| attribute.</span></div><div>context: <code>oscal:authorization-boundary/oscal:diagram/oscal:link</code></div><div>test: <code>@rel</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a link rel attribute. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a link rel attribute. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-authorization-boundary-diagram-link-rel-allowed-value">has-authorization-boundary-diagram-link-rel-allowed-value</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP authorization boundary diagram has a link rel attribute with the value | |
| "diagram".</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-diagram-link-rel-allowed-value-diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram lacks a | |
| link rel attribute with the value "diagram".</span></div><div>context: <code>oscal:authorization-boundary/oscal:diagram/oscal:link</code></div><div>test: <code>@rel = 'diagram'</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a link rel attribute with the value "diagram". ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP authorization-boundary diagram has a link rel attribute with the value "diagram". ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-authorization-boundary-diagram-link-href-target">has-authorization-boundary-diagram-link-href-target</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP authorization boundary diagram link | |
| references a back-matter resource representing the diagram document.</span></div><div>👎 <span class="diagnostic" title="has-authorization-boundary-diagram-link-href-target-diagnostic">This FedRAMP OSCAL SSP authorization-boundary diagram link does not | |
| reference a back-matter resource representing the diagram document.</span></div><div>context: <code>oscal:authorization-boundary/oscal:diagram/oscal:link</code></div><div>test: <code>exists(//oscal:resource[@uuid = substring-after(current()/@href, '#')])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP authorization-boundary diagram link references a back-matter resource representing the diagram document. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP authorization-boundary diagram link references a back-matter resource representing the diagram document. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.17 Authorization Boundary Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.2</div></td></tr><tr><td><div id="has-network-architecture">has-network-architecture</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP includes a network architecture diagram.</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-diagnostic">This FedRAMP OSCAL SSP lacks an network-architecture in its | |
| system-characteristics.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:network-architecture</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP includes a network-architecture in its system-characteristics. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP includes an network-architecture in its system-characteristics. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-network-architecture-description">has-network-architecture-description</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP has a network architecture description.</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-description-diagnostic">This FedRAMP OSCAL SSP lacks an network-architecture description.</span></div><div>context: <code>oscal:network-architecture</code></div><div>test: <code>oscal:description</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP has a network-architecture description. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP has an network-architecture description. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-network-architecture-diagram">has-network-architecture-diagram</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP has at least one network architecture diagram.</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-diagram-diagnostic">This FedRAMP OSCAL SSP lacks at least one network-architecture diagram.</span></div><div>context: <code>oscal:network-architecture</code></div><div>test: <code>oscal:diagram</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP has at least one network-architecture diagram. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP has at least one network-architecture diagram. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-network-architecture-diagram-uuid">has-network-architecture-diagram-uuid</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a unique identifier.</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-diagram-uuid-diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a uuid | |
| attribute.</span></div><div>context: <code>oscal:network-architecture/oscal:diagram</code></div><div>test: <code>@uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a uuid attribute. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a uuid attribute. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-network-architecture-diagram-description">has-network-architecture-diagram-description</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a description.</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-diagram-description-diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a | |
| description.</span></div><div>context: <code>oscal:network-architecture/oscal:diagram</code></div><div>test: <code>oscal:description</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a description. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a description. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-network-architecture-diagram-link">has-network-architecture-diagram-link</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a link.</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-diagram-link-diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a link.</span></div><div>context: <code>oscal:network-architecture/oscal:diagram</code></div><div>test: <code>oscal:link</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a link. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a link. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-network-architecture-diagram-caption">has-network-architecture-diagram-caption</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a caption.</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-diagram-caption-diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a | |
| caption.</span></div><div>context: <code>oscal:network-architecture/oscal:diagram</code></div><div>test: <code>oscal:caption</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a caption. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a caption. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-network-architecture-diagram-link-rel">has-network-architecture-diagram-link-rel</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a link rel attribute.</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-diagram-link-rel-diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a link rel | |
| attribute.</span></div><div>context: <code>oscal:network-architecture/oscal:diagram/oscal:link</code></div><div>test: <code>@rel</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a link rel attribute. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a link rel attribute. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-network-architecture-diagram-link-rel-allowed-value">has-network-architecture-diagram-link-rel-allowed-value</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP network architecture diagram has a link rel attribute with the value "diagram".</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-diagram-link-rel-allowed-value-diagnostic">This FedRAMP OSCAL SSP network-architecture diagram lacks a link | |
| rel attribute with the value "diagram".</span></div><div>context: <code>oscal:network-architecture/oscal:diagram/oscal:link</code></div><div>test: <code>@rel = 'diagram'</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a link rel attribute with the value "diagram". ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP network-architecture diagram has a link rel attribute with the value "diagram". ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-network-architecture-diagram-link-href-target">has-network-architecture-diagram-link-href-target</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP network architecture diagram link | |
| references a back-matter resource representing the diagram document.</span></div><div>👎 <span class="diagnostic" title="has-network-architecture-diagram-link-href-target-diagnostic">This FedRAMP OSCAL SSP network-architecture diagram link does not | |
| reference a back-matter resource representing the diagram document.</span></div><div>context: <code>oscal:network-architecture/oscal:diagram/oscal:link</code></div><div>test: <code>exists(//oscal:resource[@uuid = substring-after(current()/@href, '#')])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP network-architecture diagram link references a back-matter resource representing the diagram document. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP network-architecture diagram link references a back-matter resource representing the diagram document. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.22 Network Architecture Diagram</div><div>FedRAMP template-reference: System Security Plan Template §9.4</div></td></tr><tr><td><div id="has-data-flow">has-data-flow</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP includes a data flow diagram.</span></div><div>👎 <span class="diagnostic" title="has-data-flow-diagnostic">This FedRAMP OSCAL SSP lacks an data-flow in its system-characteristics.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:data-flow</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP includes a data-flow in its system-characteristics. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP includes an data-flow in its system-characteristics. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="has-data-flow-description">has-data-flow-description</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP has a data flow description.</span></div><div>👎 <span class="diagnostic" title="has-data-flow-description-diagnostic">This FedRAMP OSCAL SSP lacks an data-flow description.</span></div><div>context: <code>oscal:data-flow</code></div><div>test: <code>oscal:description</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP has a data-flow description. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP has an data-flow description. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="has-data-flow-diagram">has-data-flow-diagram</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP has at least one data flow diagram.</span></div><div>👎 <span class="diagnostic" title="has-data-flow-diagram-diagnostic">This FedRAMP OSCAL SSP lacks at least one data-flow diagram.</span></div><div>context: <code>oscal:data-flow</code></div><div>test: <code>oscal:diagram</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP has at least one data-flow diagram. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP has at least one data-flow diagram. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="has-data-flow-diagram-uuid">has-data-flow-diagram-uuid</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a unique identifier.</span></div><div>👎 <span class="diagnostic" title="has-data-flow-diagram-uuid-diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a uuid attribute.</span></div><div>context: <code>oscal:data-flow/oscal:diagram</code></div><div>test: <code>@uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a uuid attribute. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a uuid attribute. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="has-data-flow-diagram-description">has-data-flow-diagram-description</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a description.</span></div><div>👎 <span class="diagnostic" title="has-data-flow-diagram-description-diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a description.</span></div><div>context: <code>oscal:data-flow/oscal:diagram</code></div><div>test: <code>oscal:description</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a description. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a description. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="has-data-flow-diagram-link">has-data-flow-diagram-link</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a link.</span></div><div>👎 <span class="diagnostic" title="has-data-flow-diagram-link-diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a link.</span></div><div>context: <code>oscal:data-flow/oscal:diagram</code></div><div>test: <code>oscal:link</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a link. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a link. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="has-data-flow-diagram-caption">has-data-flow-diagram-caption</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a caption.</span></div><div>👎 <span class="diagnostic" title="has-data-flow-diagram-caption-diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a caption.</span></div><div>context: <code>oscal:data-flow/oscal:diagram</code></div><div>test: <code>oscal:caption</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a caption. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a caption. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="has-data-flow-diagram-link-rel">has-data-flow-diagram-link-rel</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a link rel attribute.</span></div><div>👎 <span class="diagnostic" title="has-data-flow-diagram-link-rel-diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a link rel attribute.</span></div><div>context: <code>oscal:data-flow/oscal:diagram/oscal:link</code></div><div>test: <code>@rel</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a link rel attribute. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a link rel attribute. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="has-data-flow-diagram-link-rel-allowed-value">has-data-flow-diagram-link-rel-allowed-value</div></td><td><div>👍 <span class="assertion">Each FedRAMP SSP data flow diagram has a link rel attribute with the value "diagram".</span></div><div>👎 <span class="diagnostic" title="has-data-flow-diagram-link-rel-allowed-value-diagnostic">This FedRAMP OSCAL SSP data-flow diagram lacks a link rel attribute with the | |
| value "diagram".</span></div><div>context: <code>oscal:data-flow/oscal:diagram/oscal:link</code></div><div>test: <code>@rel = 'diagram'</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a link rel attribute with the value "diagram". ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ Each FedRAMP OSCAL SSP data-flow diagram has a link rel attribute with the value "diagram". ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="has-data-flow-diagram-link-href-target">has-data-flow-diagram-link-href-target</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP data flow diagram link references a | |
| back-matter resource representing the diagram document.</span></div><div>👎 <span class="diagnostic" title="has-data-flow-diagram-link-href-target-diagnostic">This FedRAMP OSCAL SSP data-flow diagram link does not reference a back-matter | |
| resource representing the diagram document.</span></div><div>context: <code>oscal:data-flow/oscal:diagram/oscal:link</code></div><div>test: <code>exists(//oscal:resource[@uuid = substring-after(current()/@href, '#')])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ affirmative unit tests ➔ A FedRAMP OSCAL SSP data-flow diagram link references a back-matter resource representing the diagram document. ➔ When that is true ➔ that is correct.</div><div>negative XSpec test: FedRAMP OSCAL SSP Diagrams ➔ negative unit tests ➔ A FedRAMP OSCAL SSP data-flow diagram link references a back-matter resource representing the diagram document. ➔ When that is false ➔ that is an error.</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §4.24 Data Flow Diagram</div><div>FedRAMP template-reference: System Security Plan Template §10.1</div></td></tr><tr><td><div id="system-security-plan-has-import-profile">system-security-plan-has-import-profile</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP declares the related FedRAMP OSCAL Profile using an import-profile | |
| element.</span></div><div>👎 <span class="diagnostic" title="system-security-plan-has-import-profile-diagnostic">This FedRAMP OSCAL SSP lacks an import-profile element.</span></div><div>context: <code>oscal:system-security-plan</code></div><div>test: <code>exists(oscal:import-profile)</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ A FedRAMP OSCAL SSP declares the related FedRAMP OSCAL Profile using an import-profile element. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ A FedRAMP OSCAL SSP declares the related FedRAMP OSCAL Profile using an import-profile element. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.1</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="import-profile-has-href-attribute">import-profile-has-href-attribute</div></td><td><div>👍 <span class="assertion">The import-profile element has a reference.</span></div><div>👎 <span class="diagnostic" title="import-profile-has-href-attribute-diagnostic">The import-profile element lacks an href attribute.</span></div><div>context: <code>oscal:import-profile</code></div><div>test: <code>@href</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ The import-profile element has an href attribute. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ The import-profile element has an href attribute. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.1</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="implemented-requirement-has-implementation-status">implemented-requirement-has-implementation-status</div></td><td><div>👍 <span class="assertion">Every implemented requirement | |
| has an implementation-status property.</span></div><div>👎 <span class="diagnostic" title="implemented-requirement-has-implementation-status-diagnostic">This implemented-requirement lacks an | |
| implementation-status.</span></div><div>context: <code>oscal:implemented-requirement</code></div><div>test: <code>exists(oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'implementation-status'])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Every implemented-requirement has an implementation-status property. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Every implemented-requirement has an implementation-status property. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.3</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="implemented-requirement-has-planned-completion-date">implemented-requirement-has-planned-completion-date</div></td><td><div>👍 <span class="assertion">Planned control implementations have a planned completion date.</span></div><div>👎 <span class="diagnostic" title="implemented-requirement-has-planned-completion-date-diagnostic">This planned control implementations lacks a planned completion | |
| date.</span></div><div>context: <code>oscal:implemented-requirement</code></div><div>test: <code> if (oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'implementation-status' and @value eq 'planned']) then exists(current()/oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'planned-completion-date' and @value castable as xs:date]) else true()</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Planned control implementations have a planned completion date. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Planned control implementations have a planned completion date. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.3</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="implemented-requirement-has-control-origination">implemented-requirement-has-control-origination</div></td><td><div>👍 <span class="assertion">Every implemented requirement has a | |
| control origin.</span></div><div>👎 <span class="diagnostic" title="implemented-requirement-has-control-origination-diagnostic">This implemented-requirement lacks a control-origination | |
| property.</span></div><div>context: <code>oscal:implemented-requirement</code></div><div>test: <code>oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'control-origination']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Every implemented-requirement has a control-origination property. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Every implemented-requirement has a control-origination property. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.3.1.1</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="implemented-requirement-has-allowed-control-origination">implemented-requirement-has-allowed-control-origination</div></td><td><div>👍 <span class="assertion"> Every | |
| implemented requirement has an allowed control origin.</span></div><div>👎 <span class="diagnostic" title="implemented-requirement-has-allowed-control-origination-diagnostic">This implemented-requirement lacks an allowed control-origination | |
| property.</span></div><div>context: <code>oscal:implemented-requirement</code></div><div>test: <code>oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'control-origination' and @value = $control-originations]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Every implemented-requirement has an allowed control-origination property. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Every implemented-requirement has an allowed control-origination property. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.3.1.1</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="implemented-requirement-has-leveraged-authorization">implemented-requirement-has-leveraged-authorization</div></td><td><div>👍 <span class="assertion">Every implemented requirement with a control origin of "inherited" references a leveraged | |
| authorization.</span></div><div>👎 <span class="diagnostic" title="implemented-requirement-has-leveraged-authorization-diagnostic">This implemented-requirement with a control-origination property of | |
| "inherited" does not reference a leveraged-authorization element in the same document.</span></div><div>context: <code>oscal:implemented-requirement</code></div><div>test: <code> if (oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'control-origination' and @value eq 'inherited']) then (: there must be a leveraged-authorization-uuid property :) exists(oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'leveraged-authorization-uuid']) and (: the referenced leveraged-authorization must exist :) exists(//oscal:leveraged-authorization[@uuid = current()/oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'leveraged-authorization-uuid']/@value]) else true()</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Every implemented-requirement with a control-origination property of "inherited" references a leveraged-authorization. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Every implemented-requirement with a control-origination property of "inherited" references a leveraged-authorization. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.3.1.1</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="implemented-requirement-has-implementation-status-remarks">implemented-requirement-has-implementation-status-remarks</div></td><td><div>👍 <span class="assertion">Incomplete control implementations have an explanation.</span></div><div>👎 <span class="diagnostic" title="implemented-requirement-has-implementation-status-remarks-diagnostic">This incomplete control implementation lacks an | |
| explanation.</span></div><div>context: <code>oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'implementation-status' and @value ne 'implemented']</code></div><div>test: <code>oscal:remarks</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Incomplete control implementations have an explanation. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Incomplete control implementations have an explanation. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.3</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="planned-completion-date-is-valid">planned-completion-date-is-valid</div></td><td><div>👍 <span class="assertion">Planned completion date is valid.</span></div><div>👎 <span class="diagnostic" title="planned-completion-date-is-valid-diagnostic">This planned completion date is not valid.</span></div><div>context: <code>oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'planned-completion-date']</code></div><div>test: <code>@value castable as xs:date</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Planned completion date is valid. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Planned completion date is valid. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.3</div><div>FedRAMP template-reference: System Security Plan Template §13</div></td></tr><tr><td><div id="planned-completion-date-is-not-past">planned-completion-date-is-not-past</div></td><td><div>👍 <span class="assertion">Planned completion date is not past.</span></div><div>👎 <span class="diagnostic" title="planned-completion-date-is-not-past-diagnostic">This planned completion date references a past time.</span></div><div>context: <code>oscal:prop[@ns eq 'https://fedramp.gov/ns/oscal' and @name eq 'planned-completion-date']</code></div><div>test: <code>@value castable as xs:date and xs:date(@value) gt current-date()</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Planned completion date is not past. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Control Implementation ➔ Planned completion date is not past. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: Guide to OSCAL-based FedRAMP System Security Plans §5.3</div></td></tr><tr><td><div id="has-cloud-service-model">has-cloud-service-model</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify a cloud service model.</span></div><div>👎 <span class="diagnostic" title="has-cloud-service-model-diagnostic">A FedRAMP SSP must specify a cloud service model.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'cloud-service-model']</code></div><div>role: <code></code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP must specify a cloud service model. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP must specify a cloud service model. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.13</div><div>FedRAMP template-reference: System Security Plan Template §8.1</div></td></tr><tr><td><div id="has-allowed-cloud-service-model">has-allowed-cloud-service-model</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify an allowed cloud service | |
| model.</span></div><div>👎 <span class="diagnostic" title="has-allowed-cloud-service-model-diagnostic">A FedRAMP SSP must specify an allowed cloud service model.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'cloud-service-model' and @value = $service-models]</code></div><div>role: <code></code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP must specify an allowed cloud service model. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP must specify an allowed cloud service model. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.13</div><div>FedRAMP template-reference: System Security Plan Template §8.1</div></td></tr><tr><td><div id="has-cloud-service-model-remarks">has-cloud-service-model-remarks</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP with a cloud service model of "other" must supply remarks.</span></div><div>👎 <span class="diagnostic" title="has-cloud-service-model-remarks-diagnostic">A FedRAMP SSP with a cloud service model of "other" must supply remarks.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code> every $p in oscal:prop[@name = 'cloud-service-model' and @value = 'other'] satisfies exists($p/oscal:remarks) </code></div><div>role: <code></code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP with a cloud service model of "other" must supply remarks. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP with a cloud service model of "other" must supply remarks. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.13</div><div>FedRAMP template-reference: System Security Plan Template §8.1</div></td></tr><tr><td><div id="has-cloud-deployment-model">has-cloud-deployment-model</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify a cloud deployment model.</span></div><div>👎 <span class="diagnostic" title="has-cloud-deployment-model-diagnostic">A FedRAMP SSP must specify a cloud deployment model.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'cloud-deployment-model']</code></div><div>role: <code></code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP must specify a cloud deployment model. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP must specify a cloud deployment model. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.14</div><div>FedRAMP template-reference: System Security Plan Template §8.2</div></td></tr><tr><td><div id="has-allowed-cloud-deployment-model">has-allowed-cloud-deployment-model</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP must specify an allowed cloud | |
| deployment model.</span></div><div>👎 <span class="diagnostic" title="has-allowed-cloud-deployment-model-diagnostic">A FedRAMP SSP must specify an allowed cloud deployment model.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'cloud-deployment-model' and @value = $deployment-models]</code></div><div>role: <code></code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP must specify an allowed cloud deployment model. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP must specify an allowed cloud deployment model. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.14</div><div>FedRAMP template-reference: System Security Plan Template §8.2</div></td></tr><tr><td><div id="has-cloud-deployment-model-remarks">has-cloud-deployment-model-remarks</div></td><td><div>👍 <span class="assertion">A FedRAMP SSP with a cloud deployment model of "hybrid-cloud" must supply remarks.</span></div><div>👎 <span class="diagnostic" title="has-cloud-deployment-model-remarks-diagnostic">A FedRAMP SSP with a cloud deployment model of "hybrid-cloud" must supply | |
| remarks.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code> every $p in oscal:prop[@name = 'cloud-deployment-model' and @value = 'hybrid-cloud'] satisfies exists($p/oscal:remarks) </code></div><div>role: <code></code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP with a cloud deployment model of "hybrid-cloud" must supply remarks. ➔ When that is true ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ A FedRAMP SSP with a cloud deployment model of "hybrid-cloud" must supply remarks. ➔ When that is false ➔ that is an error</div><div>FedRAMP guide-reference: DRAFT Guide to OSCAL-based FedRAMP System Security Plans §4.14</div><div>FedRAMP template-reference: System Security Plan Template §8.2</div></td></tr><tr><td><div id="has-public-cloud-deployment-model">has-public-cloud-deployment-model</div></td><td><div>👍 <span class="assertion">When a FedRAMP SSP has public components or inventory items, a cloud deployment model of "public-cloud" must be | |
| employed.</span></div><div>👎 <span class="diagnostic" title="has-public-cloud-deployment-model-diagnostic">When a FedRAMP SSP has public components or inventory items, a cloud deployment model of | |
| "public-cloud" must be employed.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code> (: either there is no component or inventory-item tagged as 'public' :) not( exists(//oscal:component[oscal:prop[@name = 'public' and @value = 'yes']]) or exists(//oscal:inventory-item[oscal:prop[@name = 'public' and @value = 'yes']]) ) or (: a 'public-cloud' deployment model is employed :) exists(oscal:prop[@name = 'cloud-deployment-model' and @value = 'public-cloud']) </code></div><div>role: <code></code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ When a FedRAMP SSP has public components or inventory items, a cloud deployment model of "public-cloud" must be employed. ➔ When that is not pertinent ➔ When that is true ➔ that is correct ➔ that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Cloud Service and Deployment Models ➔ When a FedRAMP SSP has public components or inventory items, a cloud deployment model of "public-cloud" must be employed. ➔ When that is false ➔ that is an error</div></td></tr></tbody></table><h2>FedRAMP Values</h2><p>The <code>fedramp_values.xml</code> document contains value enumerations for various FedRAMP OSCAL document elements.</p><table id="fedramp_values.xml"><caption><code>fedramp_values.xml</code> constraints</caption><thead><tr><th>Name</th><th>Values</th><th>Context(s) - <span class="highlight">Light blue</span> highlights use of name in context. <span class="highlight-missed">Yellow</span> highlights absence of name in context.</th></tr></thead><tbody><tr><td rowspan="3"><div><code>address-type</code></div></td><td><div><code>home</code></div><div><code>work</code></div></td><td><div><code><span class="highlight-missed">party/address/@type</span></code></div></td></tr><tr><td colspan="2"><u>Address Type</u>: <i>The type of address for the party</i></td></tr><tr><td colspan="2">Remarks: FedRAMP requires work addresses.</td></tr><tr><td rowspan="3"><div><code>allows-authenticated-scan</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code>inventory-item/prop[@name='<span class="highlight">allows-authenticated-scan</span>']/@value</code></div><div><code>component/prop[@name='<span class="highlight">allows-authenticated-scan</span>']/@value</code></div></td></tr><tr><td colspan="2"><u>Allows Authenticated Scan</u>: <i>Indicates if the asset is capable of having an authenticated scan.</i></td></tr><tr><td colspan="2">Remarks: if the value is "no", the prop remarks must contain the reason why.</td></tr><tr><td rowspan="2"><div><code>asset-type</code></div></td><td><div><code>operating-system</code></div><div><code>database</code></div><div><code>web-server</code></div><div><code>dns-server</code></div><div><code>email-server</code></div><div><code>directory-server</code></div><div><code>pbx</code></div><div><code>firewall</code></div><div><code>router</code></div><div><code>switch</code></div><div><code>storage-array</code></div><div><i>or any other value</i></div></td><td><div><code>component/prop[@name='<span class="highlight">asset-type</span>']</code></div><div><code>inventory-item/prop[@name='<span class="highlight">asset-type</span>']</code></div></td></tr><tr><td colspan="2"><u>Asset Type</u>: <i>Identifies the type of asset.</i></td></tr><tr><td rowspan="2"><div><code>attachment-type</code></div></td><td><div><code>law</code></div><div><code>regulation</code></div><div><code>standard</code></div><div><code>guidance</code></div><div><code>policy</code></div><div><code>procedure</code></div><div><code>guide</code></div><div><code>rules-of-behavior</code></div><div><code>plan</code></div><div><code>system-security-plan</code></div><div><code>artifact</code></div><div><code>evidence</code></div><div><code>screen-shot</code></div><div><code>image</code></div><div><code>tool-report</code></div><div><code>raw-tool-output</code></div><div><code>interview-notes</code></div><div><code>questionnaire</code></div><div><code>report</code></div><div><code>fedramp-citations</code></div><div><code>fedramp-acronyms</code></div><div><code>fedramp-logo</code></div><div><code>separation-of-duties-matrix</code></div><div><code>logo</code></div><div><code>personally-identifiable-information</code></div><div><code>agreement</code></div><div><code>incident-response-plan</code></div><div><code>information-security-policies-and-procedures</code></div><div><code>user-guide</code></div><div><code>privacy-impact-assessment</code></div><div><code>information-system-contingency-plan</code></div><div><code>configuration-management-plan</code></div><div><i>or any other value</i></div></td><td><div><code><span class="highlight-missed">resource/prop[@name='type'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Attachment Type</u>: <i>Identifies the type of attachment.</i></td></tr><tr><td rowspan="2"><div><code>authenticator-assurance-level</code></div></td><td><div><code>1</code></div><div><code>2</code></div><div><code>3</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">authenticator-assurance-level</span>']</code></div></td></tr><tr><td colspan="2"><u>Authenticator Assurance Level</u>: <i>The authenticator assurance level as defined by NIST SP 800-63, Revision 3.</i></td></tr><tr><td rowspan="2"><div><code>authorization-type</code></div></td><td><div><code>fedramp-jab</code></div><div><code>fedramp-agency</code></div><div><code>fedramp-li-saas</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">authorization-type</span>'][@ns='https://fedramp.gov/ns/oscal']<span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Authorization Type</u>: <i>The FedRAMP Authorization Type</i></td></tr><tr><td rowspan="2"><div><code>component-operational-status</code></div></td><td><div><code>operational</code></div><div><code>under-development</code></div><div><code>disposition</code></div><div><code>other</code></div></td><td><div><code><span class="highlight-missed">component/status/@state</span></code></div></td></tr><tr><td colspan="2"><u>Operational Status (component)</u>: <i>The operational status of the component</i></td></tr><tr><td rowspan="2"><div><code>component-type</code></div></td><td><div><code>software</code></div><div><code>hardware</code></div><div><code>service</code></div><div><code>policy</code></div><div><code>process</code></div><div><code>procedure</code></div><div><code>plan</code></div><div><code>guidance</code></div><div><code>standard</code></div><div><code>validation</code></div><div><code>this-system</code></div><div><code>interconnection</code></div><div><i>or any other value</i></div></td><td><div><code>component/@<span class="highlight">component-type</span></code></div></td></tr><tr><td colspan="2"><u>Component Type</u>: <i>identifies the component type.</i></td></tr><tr><td rowspan="2"><div><code>control-implementation-status</code></div></td><td><div><code>implemented</code></div><div><code>partial</code></div><div><code>planned</code></div><div><code>alternative</code></div><div><code>not-applicable</code></div></td><td><div><code><span class="highlight-missed">implemented-requirement/prop[@name='implementation-status']/@value</span></code></div></td></tr><tr><td colspan="2"><u>Control Implementation Status</u>: <i>The implementation status of the control.</i></td></tr><tr><td rowspan="2"><div><code>control-origination</code></div></td><td><div><code>sp-corporate</code></div><div><code>sp-system</code></div><div><code>customer-configured</code></div><div><code>customer-provided</code></div><div><code>inherited</code></div></td><td><div><code>implemented-requirement/prop[@name='<span class="highlight">control-origination</span>'][@ns='https://fedramp.gov/ns/oscal']/@value<span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Control Origination</u>: <i>The point(s) from which the control satisfaction originates.</i></td></tr><tr><td rowspan="2"><div><code>deployment-model</code></div></td><td><div><code>public-cloud</code></div><div><code>private-cloud</code></div><div><code>government-only-cloud</code></div><div><code>hybrid-cloud</code></div><div><code>other</code></div></td><td><div><code>system-characteristics/prop[@name='cloud-<span class="highlight">deployment-model</span>'][@ns='https://fedramp.gov/ns/oscal']/@value<span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Deployment Model</u>: <i>The cloud deployment model.</i></td></tr><tr><td rowspan="2"><div><code>eauth-level</code></div></td><td><div><code>1</code></div><div><code>2</code></div><div><code>3</code></div></td><td><div><code>system-characteristics/prop[@name='security-<span class="highlight">eauth-level</span>'][@ns='https://fedramp.gov/ns/oscal']<span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>eAuth Level</u>: <i>The eAuthentication level as defined by NIST SP 800-63, Revision 3.</i></td></tr><tr><td rowspan="2"><div><code>federation-assurance-level</code></div></td><td><div><code>1</code></div><div><code>2</code></div><div><code>3</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">federation-assurance-level</span>']</code></div></td></tr><tr><td colspan="2"><u>Federation Assurance Level</u>: <i>The federation assurance level as defined by NIST SP 800-63, Revision 3.</i></td></tr><tr><td rowspan="2"><div><code>hash-algorithm</code></div></td><td><div><code>SHA-224</code></div><div><code>SHA-256</code></div><div><code>SHA-384</code></div><div><code>SHA-512</code></div><div><code>RIPEMD-160</code></div><div><i>or any other value</i></div></td><td><div><code><span class="highlight-missed">resource/hash/@algorithm</span></code></div></td></tr><tr><td colspan="2"><u>Hash Algorithm</u>: <i>Identifies the algorithm used to create the hash value of the attachment.</i></td></tr><tr><td rowspan="2"><div><code>identity-assurance-level</code></div></td><td><div><code>1</code></div><div><code>2</code></div><div><code>3</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">identity-assurance-level</span>']</code></div></td></tr><tr><td colspan="2"><u>Identity Assurance Level</u>: <i>The identity assurance level as defined by NIST SP 800-63, Revision 3.</i></td></tr><tr><td rowspan="2"><div><code>impact-level</code></div></td><td><div><code>low</code></div><div><code>moderate</code></div><div><code>high</code></div></td><td><div><code><span class="highlight-missed">risk/risk-metric[@name='impact'][@system='https://fedramp.gov']</span></code></div></td></tr><tr><td colspan="2"><u>Impact Level</u>: <i>The impact level of a risk.</i></td></tr><tr><td rowspan="3"><div><code>information-type-system</code></div></td><td><div><code>https://doi.org/10.6028/NIST.SP.800-60v2r1</code></div></td><td><div><code><span class="highlight-missed">information-type/information-type-id/@system</span></code></div></td></tr><tr><td colspan="2"><u>Information Type System</u>: <i>Identifies the system from which the information type was defined.</i></td></tr><tr><td colspan="2">Remarks: FedRAMP only allows information types defined in NIST SP 800-60v2r1.</td></tr><tr><td rowspan="2"><div><code>interconnection-direction</code></div></td><td><div><code>incoming</code></div><div><code>outgoing</code></div><div><code>incoming-outgoing</code></div></td><td><div><code><span class="highlight-missed">component[@component-type='interconnection']/prop[@name='direction'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Interconnection Direction</u>: <i>Identifies the direction of information flow for the interconnection.</i></td></tr><tr><td rowspan="2"><div><code>interconnection-security</code></div></td><td><div><code>ipsec</code></div><div><code>vpn</code></div><div><code>ssl</code></div><div><code>certificate</code></div><div><code>secure-file-transfer</code></div><div><code>other</code></div></td><td><div><code><span class="highlight-missed">component[@component-type='interconnection']/prop[@name='connection-security'][@ns='https://fedramp.gov/ns/oscal']/@value</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Interconnection Security</u>: <i>Identifies the type of security applied to the interconnection.</i></td></tr><tr><td rowspan="3"><div><code>is-scanned</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code>inventory-item/prop[@name='<span class="highlight">is-scanned</span>']/@value</code></div><div><code>component/prop[@name='<span class="highlight">is-scanned</span>']/@value</code></div></td></tr><tr><td colspan="2"><u>Is Scanned</u>: <i>Indicates if the asset is scan.</i></td></tr><tr><td colspan="2">Remarks: if the value is "no", the prop remarks must contain the reason why.</td></tr><tr><td rowspan="2"><div><code>likelihood</code></div></td><td><div><code>low</code></div><div><code>moderate</code></div><div><code>high</code></div></td><td><div><code>risk/risk-metric[@name='<span class="highlight">likelihood</span>'][@system='https://fedramp.gov']</code></div></td></tr><tr><td colspan="2"><u>Likelihood</u>: <i>The likelihood of a risk.</i></td></tr><tr><td rowspan="2"><div><code>media-type</code></div></td><td><div><code>application/gzip</code></div><div><code>application/msword</code></div><div><code>application/octet-stream</code></div><div><code>application/pdf</code></div><div><code>application/vnd.ms-excel</code></div><div><code>application/vnd.ms-works</code></div><div><code>application/vnd.oasis.opendocument.graphics</code></div><div><code>application/vnd.oasis.opendocument.presentation</code></div><div><code>application/vnd.oasis.opendocument.spreadsheet</code></div><div><code>application/vnd.oasis.opendocument.text</code></div><div><code>application/vnd.openxmlformats-officedocument.presentationml.presentation</code></div><div><code>application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</code></div><div><code>application/vnd.openxmlformats-officedocument.wordprocessingml.document</code></div><div><code>application/x-bzip</code></div><div><code>application/x-bzip2</code></div><div><code>application/x-tar</code></div><div><code>application/zip</code></div><div><code>image/bmp</code></div><div><code>image/jpeg</code></div><div><code>image/png</code></div><div><code>image/tiff</code></div><div><code>image/webp</code></div><div><code>image/svg+xml</code></div><div><code>text/csv</code></div><div><code>text/html</code></div><div><code>text/plain</code></div></td><td><div><code>rlink/@<span class="highlight">media-type</span></code></div><div><code>base64/@<span class="highlight">media-type</span></code></div></td></tr><tr><td colspan="2"><u>Resource Media Types</u>: <i>A subset of IANA media types expected to be encountered.</i></td></tr><tr><td rowspan="2"><div><code>privacy-designation</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='privacy-sensitive']</span></code></div></td></tr><tr><td colspan="2"><u>Privacy Designation</u>: <i>Indicates whether this system is privacy sensitive.</i></td></tr><tr><td rowspan="2"><div><code>privacy-threshold-analysis-q1</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='pta-1'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Privacy Threshold Analysis (Q1)</u>: <i>Does the ISA collect, maintain, or share PII in any identifiable form?</i></td></tr><tr><td rowspan="2"><div><code>privacy-threshold-analysis-q2</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='pta-2'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Privacy Threshold Analysis (Q2)</u>: <i>Does the ISA collect, maintain, share PII info from or about the public?</i></td></tr><tr><td rowspan="2"><div><code>privacy-threshold-analysis-q3</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='pta-3'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Privacy Threshold Analysis (Q3)</u>: <i>Has a Privacy Impact Assessment ever been performed for the ISA?</i></td></tr><tr><td rowspan="3"><div><code>privacy-threshold-analysis-q4</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='pta-4'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Privacy Threshold Analysis (Q4)</u>: <i>Is there a Privacy Act System of Records Notice (SORN) for this ISA system?</i></td></tr><tr><td colspan="2">Remarks: If "yes" a SORN ID must be provided.</td></tr><tr><td rowspan="2"><div><code>public</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code>inventory-item/prop[@name='<span class="highlight">public</span>']</code></div><div><code>component/prop[@name='<span class="highlight">public</span>']</code></div></td></tr><tr><td colspan="2"><u>Public</u>: <i>Indicates if the asset is exposed to the public Internet.</i></td></tr><tr><td rowspan="2"><div><code>role-type</code></div></td><td><div><code>assessor</code></div><div><code>assessment-team</code></div><div><code>assessment-lead</code></div><div><code>assessment-executive</code></div><div><code>cloud-service-provider</code></div><div><code>csp-operations-center</code></div><div><code>csp-assessment-poc</code></div><div><code>csp-end-of-testing-poc</code></div><div><code>csp-results-poc</code></div><div><code>fedramp-pmo</code></div><div><code>fedramp-jab</code></div><div><code>penetration-test-team</code></div><div><code>penetration-test-lead</code></div><div><i>or any other value</i></div></td><td><div><code><span class="highlight-missed">role/@id</span></code></div></td></tr><tr><td colspan="2"><u>Defined Role Identifiers</u>: <i>Identifies the type of role for a responsible party.</i></td></tr><tr><td rowspan="2"><div><code>scan-type</code></div></td><td><div><code>infrastructure</code></div><div><code>database</code></div><div><code>web</code></div><div><code>other</code></div></td><td><div><code>component/prop[@name='<span class="highlight">scan-type</span>'][@ns='https://fedramp.gov/ns/oscal']<span class="NB"> ☚ Note the <code>@ns</code></span></code></div><div><code>inventory-item/prop[@name='<span class="highlight">scan-type</span>'][@ns='https://fedramp.gov/ns/oscal']<span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Scan Type</u>: <i>Identifies the type of scan.</i></td></tr><tr><td rowspan="2"><div><code>security-level</code></div></td><td><div><code>fips-199-low</code></div><div><code>fips-199-moderate</code></div><div><code>fips-199-high</code></div></td><td><div><code><span class="highlight-missed">security-sensitivity-level</span></code></div><div><code><span class="highlight-missed">security-impact-level</span></code></div><div><code><span class="highlight-missed">(security-objective-confidentiality|security-objective-integrity|security-objective-availability)</span></code></div><div><code><span class="highlight-missed">system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)</span></code></div></td></tr><tr><td colspan="2"><u>Security Impact Level</u>: <i>The security objective level as defined by NIST SP 800-60.</i></td></tr><tr><td rowspan="2"><div><code>service-model</code></div></td><td><div><code>saas</code></div><div><code>paas</code></div><div><code>iaas</code></div><div><code>other</code></div></td><td><div><code>system-characteristics/prop[@name='cloud-<span class="highlight">service-model</span>']/@value</code></div></td></tr><tr><td colspan="2"><u>Service Model</u>: <i>The cloud service model.</i></td></tr><tr><td rowspan="2"><div><code>system-identifier-type</code></div></td><td><div><code>http://fedramp.gov</code></div><div><code>https://ietf.org/rfc/rfc4122</code></div><div><i>or any other value</i></div></td><td><div><code><span class="highlight-missed">system-id/@identifier-type</span></code></div></td></tr><tr><td colspan="2"><u>System Identifier Type</u>: <i>Indicates the source of the unique ID assigned to the system. FedRAMP requires a FedRAMP-assigned identifier; however, additional identifiers may also be provided.</i></td></tr><tr><td rowspan="2"><div><code>system-operational-status</code></div></td><td><div><code>operational</code></div><div><code>under-development</code></div><div><code>under-major-modification</code></div><div><code>disposition</code></div><div><code>other</code></div></td><td><div><code><span class="highlight-missed">system-characteristics/status/@state</span></code></div></td></tr><tr><td colspan="2"><u>Operational Status (system)</u>: <i>The operational status of the system</i></td></tr><tr><td rowspan="2"><div><code>transport-type</code></div></td><td><div><code>tcp</code></div><div><code>udp</code></div></td><td><div><code><span class="highlight-missed">component[@component-type='service']/protocol/port-range/@transport</span></code></div></td></tr><tr><td colspan="2"><u>Transport Type</u>: <i>The internet protocol transport type.</i></td></tr><tr><td rowspan="2"><div><code>user-privilege</code></div></td><td><div><code>privileged</code></div><div><code>non-privileged</code></div><div><code>no-logical-access</code></div></td><td><div><code><span class="highlight-missed">user/prop[@name='privilege-level']/@value</span></code></div></td></tr><tr><td colspan="2"><u>User Privilege</u>: <i>Identifies the privilege level of the user.</i></td></tr><tr><td rowspan="2"><div><code>user-sensitivity-level</code></div></td><td><div><code>high-risk</code></div><div><code>severe</code></div><div><code>moderate</code></div><div><code>limited</code></div><div><code>not-applicable</code></div></td><td><div><code><span class="highlight-missed">user/prop[@name='sensitivity'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>User Sensitivity level</u>: <i>Identifies the sensitivity level of the user.</i></td></tr><tr><td rowspan="2"><div><code>user-type</code></div></td><td><div><code>internal</code></div><div><code>external</code></div><div><code>general-public</code></div></td><td><div><code><span class="highlight-missed">user/prop[@name='type']/@value</span></code></div></td></tr><tr><td colspan="2"><u>User Type</u>: <i>Identifies the user type.</i></td></tr><tr><td rowspan="2"><div><code>virtual</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code>inventory-item/prop[@name='<span class="highlight">virtual</span>']</code></div><div><code>component/prop[@name='<span class="highlight">virtual</span>']</code></div></td></tr><tr><td colspan="2"><u>Virtual</u>: <i>Indicates if the asset is virtual.</i></td></tr></tbody></table><h2>FedRAMP Extensions</h2><p>The <code>FedRAMP_extensions.xml</code> document contains OSCAL schema extensions for FedRAMP OSCAL documents.</p><table id="FedRAMP_extensions.xml"><caption><code>FedRAMP_extensions.xml</code> constraints</caption><thead><tr><th>Name</th><th>Values</th><th>Context(s) - <span class="highlight">Light blue</span> highlights use of name in context. <span class="highlight-missed">Yellow</span> highlights absence of name in context.</th></tr></thead><tbody><tr><td rowspan="3"><div><code>attachment-type</code></div></td><td><div><code>law</code></div><div><code>regulation</code></div><div><code>standard</code></div><div><code>guidance</code></div><div><code>policy</code></div><div><code>procedure</code></div><div><code>guide</code></div><div><code>rules-of-behavior</code></div><div><code>plan</code></div><div><code>system-security-plan</code></div><div><code>artifact</code></div><div><code>evidence</code></div><div><code>screen-shot</code></div><div><code>image</code></div><div><code>tool-report</code></div><div><code>raw-tool-output</code></div><div><code>interview-notes</code></div><div><code>questionnaire</code></div><div><code>report</code></div><div><code>fedramp-citations</code></div><div><code>fedramp-acronyms</code></div><div><code>fedramp-logo</code></div><div><code>separation-of-duties-matrix</code></div><div><code>logo</code></div><div><code>personal-identifiable-information</code></div><div><code>agreement</code></div><div><code>incident-response-plan</code></div><div><code>information-security-policies-and-procedures</code></div><div><code>user-guide</code></div><div><code>privacy-impact-analysis</code></div><div><code>information-system-contingency-plan</code></div><div><code>configuration-management-plan</code></div></td><td><div><code><span class="highlight-missed">/*/o:back-matter/o:resource/o:prop[@name='type']</span></code></div></td></tr><tr><td colspan="2"><u>Attachment/Resource Types</u>: <i>FedRAMP additional attachment/resource types.</i></td></tr><tr><td colspan="2">Remarks: These are in addition to the NIST-defined allowed values for resource types.</td></tr><tr><td rowspan="3"><div><code>control-implementation-status-constraints</code></div></td><td><div><code>implemented</code></div><div><code>partial</code></div><div><code>planned</code></div><div><code>alternative</code></div><div><code>not-applicable</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal']/@value</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Control Implementation Status Constraints</u>: <i>Defines the data type and allowed values for the Control Implementation Status</i></td></tr><tr><td colspan="2">Remarks: | |
| When an extension is an prop, the data type and allowed values must be defined in a separate constraint. | |
| </td></tr><tr><td rowspan="2"><div><code>control-origination-constraints</code></div></td><td><div><code>sp-corporate</code></div><div><code>sp-system</code></div><div><code>customer-configured</code></div><div><code>customer-provided</code></div><div><code>inherited</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='control-origination'][@ns='https://fedramp.gov/ns/oscal']/@value</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Control Origination</u>: <i>The point(s) from which the control satisfaction originates.</i></td></tr><tr><td rowspan="3"><div><code>fedramp-assessment-role-identifiers</code></div></td><td><div><code>assessor</code></div><div><code>assessment-team</code></div><div><code>assessment-lead</code></div><div><code>assessment-executive</code></div><div><code>csp-assessment-poc</code></div><div><code>csp-end-of-testing-poc</code></div><div><code>csp-results-poc</code></div><div><code>penetration-test-team</code></div><div><code>penetration-test-lead</code></div></td><td><div><code><span class="highlight-missed">/*/o:metadata/o:role/@id</span></code></div></td></tr><tr><td colspan="2"><u>Assessment Role Identifiers</u>: <i>FedRAMP additional roles identifiers.</i></td></tr><tr><td colspan="2">Remarks: These are in addition to the NIST-defined allowed values for role identifiers, and apply to OSCAL-based FedRAMP SAP and SAR content.</td></tr><tr><td rowspan="3"><div><code>fedramp-general-role-identifiers</code></div></td><td><div><code>fedramp-pmo</code></div><div><code>fedramp-jab</code></div><div><code>cloud-service-provider</code></div><div><code>csp-operations-center</code></div></td><td><div><code><span class="highlight-missed">/*/o:metadata/o:role/@id</span></code></div></td></tr><tr><td colspan="2"><u>General Role Identifiers</u>: <i>FedRAMP additional roles identifiers.</i></td></tr><tr><td colspan="2">Remarks: These are in addition to the NIST-defined allowed values for role identifiers, and apply to all OSCAL-based FedRAMP content.</td></tr><tr><td rowspan="2"><div><code>hash-algorithm</code></div></td><td><div><code>SHA-224</code></div><div><code>SHA-256</code></div><div><code>SHA-384</code></div><div><code>SHA-512</code></div><div><code>RIPEMD-160</code></div></td><td><div><code><span class="highlight-missed">o:resource/o:hash/@algorithm</span></code></div></td></tr><tr><td colspan="2"><u>Hash Algorithm</u>: <i>Identifies the algorithm used to create the hash value of the attachment.</i></td></tr><tr><td rowspan="3"><div><code>information-type-system</code></div></td><td><div><code>https://doi.org/10.6028/NIST.SP.800-60v2r1</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:information-type-id/@system</span></code></div></td></tr><tr><td colspan="2"><u>Information Type System</u>: <i>Identifies the system from which the information type was defined.</i></td></tr><tr><td colspan="2">Remarks: FedRAMP only allows information types defined in NIST SP 800-60v2r1.</td></tr><tr><td rowspan="3"><div><code>media-type</code></div></td><td><div><code>application/gzip</code></div><div><code>application/msword</code></div><div><code>application/octet-stream</code></div><div><code>application/pdf</code></div><div><code>application/vnd.ms-excel</code></div><div><code>application/vnd.ms-works</code></div><div><code>application/vnd.oasis.opendocument.graphics</code></div><div><code>application/vnd.oasis.opendocument.presentation</code></div><div><code>application/vnd.oasis.opendocument.spreadsheet</code></div><div><code>application/vnd.oasis.opendocument.text</code></div><div><code>application/vnd.openxmlformats-officedocument.presentationml.presentation</code></div><div><code>application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</code></div><div><code>application/vnd.openxmlformats-officedocument.wordprocessingml.document</code></div><div><code>application/x-bzip</code></div><div><code>application/x-bzip2</code></div><div><code>application/x-tar</code></div><div><code>application/zip</code></div><div><code>image/bmp</code></div><div><code>image/jpeg</code></div><div><code>image/png</code></div><div><code>image/tiff</code></div><div><code>image/webp</code></div><div><code>image/svg+xml</code></div><div><code>text/csv</code></div><div><code>text/html</code></div><div><code>text/plain</code></div></td><td><div><code>o:rlink/@<span class="highlight">media-type</span></code></div><div><code>o:base64/@<span class="highlight">media-type</span></code></div></td></tr><tr><td colspan="2"><u>Attachment/Resource Media Types</u>: <i>IANA media-types supported by FedRAMP as attachment/resource types.</i></td></tr><tr><td colspan="2">Remarks: These are in addition to the NIST-defined allowed values for resource types.</td></tr><tr><td rowspan="2"><div><code>observation-types</code></div></td><td><div><code>vendor-dependency</code></div><div><code>false-positive</code></div><div><code>operational-requirement</code></div><div><code>risk-adjustment</code></div><div><code>closure</code></div></td><td><div><code><span class="highlight-missed">/o:plan-of-action-and-milestones/o:observation/o:type</span></code></div><div><code><span class="highlight-missed">/o:assessment-results/o:result/o:observation/o:type</span></code></div></td></tr><tr><td colspan="2"><u>Observation Types</u>: <i>In addition to the NIST observation types, FedRAMP requires observaton types to support risk deviations and vendor dependencies.</i></td></tr><tr><td rowspan="3"><div><code>planned-completion-date</code></div></td><td></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:control-implementation/o:implemented-requirement[o:prop[@name='implementation-status'][@value='planned']]</span></code></div></td></tr><tr><td colspan="2"><u>Planned Implementation Date Exists</u>: <i>If the control implementation status is "Planned" a "Planned Implementation Date" must be provided.</i></td></tr><tr><td colspan="2">Remarks: | |
| In the SSP, if implemented-requirement includes prop[@name='implementation-status'] with value='planned', a planned-completion-date extension must be provided. | |
| </td></tr><tr><td rowspan="2"><div><code>poam-risk-impacted-control</code></div></td><td></td><td><div><code><span class="highlight-missed">/o:plan-of-action-and-milestones/o:risk/o:prop</span></code></div></td></tr><tr><td colspan="2"><u>Impacted Control</u>: <i>At least one impacted control field is required in the POA&M.</i></td></tr><tr><td rowspan="2"><div><code>sar-risk-impacted-control</code></div></td><td></td><td><div><code><span class="highlight-missed">/o:assessment-results/o:result/o:risk/o:prop</span></code></div></td></tr><tr><td colspan="2"><u>Impacted Control</u>: <i>The impacted control field is optional in the SAR, but helpful in anticipation of copying open risks to the POA&M.</i></td></tr><tr><td rowspan="2"><div><code>security-level</code></div></td><td><div><code>fips-199-low</code></div><div><code>fips-199-moderate</code></div><div><code>fips-199-high</code></div></td><td><div><code><span class="highlight-missed">security-sensitivity-level</span></code></div><div><code><span class="highlight-missed">security-impact-level</span></code></div><div><code><span class="highlight-missed">(security-objective-confidentiality|security-objective-integrity|security-objective-availability)</span></code></div><div><code><span class="highlight-missed">system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)</span></code></div></td></tr><tr><td colspan="2"><u>Security Impact Level</u>: <i>The security objective level as defined by NIST SP 800-60.</i></td></tr><tr><td rowspan="2"><div><code>system-identifier-type</code></div></td><td><div><code>https://fedramp.gov</code></div><div><code>https://ietf.org/rfc/rfc4122</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-id/@identifier-type</span></code></div></td></tr><tr><td colspan="2"><u>System Identifier Type</u>: <i>Enables an identifier to be formally recognized as being assigned by FedRAMP.</i></td></tr><tr><td rowspan="3"><div><code>system-operational-status</code></div></td><td><div><code>operational</code></div><div><code>under-development</code></div><div><code>disposition</code></div><div><code>other</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:status/@state</span></code></div></td></tr><tr><td colspan="2"><u>Operational Status (system)</u>: <i>The operational status of the system</i></td></tr><tr><td colspan="2">Remarks: | |
| FedRAMP limits the allowed values from a larger NIST-defined list to only those defined here. | |
| </td></tr></tbody></table></body></html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment