Skip to content

Instantly share code, notes, and snippets.

@ohsh6o

ohsh6o/rules.html

Last active June 30, 2021 15:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ohsh6o/e0725f3558fb8173947e49bc7b86945d to your computer and use it in GitHub Desktop.
Save ohsh6o/e0725f3558fb8173947e49bc7b86945d to your computer and use it in GitHub Desktop.
Download ZIP
FedRAMP Rules Mapping
Raw
rules.html
<!DOCTYPE HTML>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>FedRAMP Rules and Validation Logic</title><style>caption { font-weight: bold; font-size: large; } thead tr { background-color: #e0e0e0; color: inherit; } thead th { vertical-align: bottom; text-align: left; white-space: normal; } thead td { } tbody tr { vertical-align: top; } tbody th { text-align: left; background-color: #e8e8e8; color: inherit; } tbody tr { background-color: #f0f0f0; color: inherit; } code code { color: inherit; } .highlight { background-color: powderblue; } .highlight-missed { background-color: yellow; } .missing { background-color: orange; } .NB { background-color: thistle; } .FedRAMP-ns { background-color: chartreuse; } .context-item { font-variant: small-caps; } .role-error, .role-fatal { color: red; } .role-warning { color: orange; } blockquote { background: #f9f9f9; border-left: 10px solid #ccc; margin: 1.5em 10px; padding: 0.5em 10px; quotes: "\201C" "\201D" "\2018" "\2019"; width: 50%; } *[title] { cursor: help; } .assertion, .diagnostic { font-style: italic; } .assertion, .diagnostic { font-weight: bold; font-size:larger; } .assertion:before, .diagnostic:before { content: "assertion: "; font-style: normal; font-weight: normal; } .diagnostic:before { content: "diagnostic: "; font-style: normal; } .substitution { font-family: monospace; background-color: lightgrey; } </style></head><body><h1>FedRAMP Rules and Validation Logic</h1><p>Last updated June 30 2021 11:07 EDT.</p><p>Information from <a href="#fedramp_values.xml"><code>fedramp_values.xml</code></a> and <a href="#FedRAMP_extensions.xml"><code>FedRAMP_extensions.xml</code></a> is presented.</p><p>Some items for discussion and decision:</p><ul><li>How much context should accompany Schematron messages? <ul><li>For FedRAMP OSCAL SSP submitters</li><li>For FedRAMP OSCAL SSP reviewers</li></ul></li><li>Should Schematron be a structured form of FedRAMP rule definitions? (A Schematron document may include arbitrary information
cast as XML in one or more XML namespaces.) <ul><li>Should it be the sole source?</li></ul></li><li>Should <a href="https://www.plainlanguage.gov/" target="_blank">plainlanguage.gov</a> prose style be used?</li><li>Will FedRAMP automation structured documentation be inclusive of <a href="https://www.section508.gov/" target="_blank">Section 508</a> accommodations?</li></ul><h2>Rules</h2><p>The following table lists Schematron <code>assert</code> and <code>report</code> elements with the Schematron ID, assertion
(affirmative statement), diagnostic (negative statement used when the assertion was false), and related attributes. Each of these
is subordinate to a context defined in a parent Schematron <code>rule</code> element.</p><table><caption><div>List of assertions</div><p>There are 142 Schematron assertions and 284 XSpec tests as of this update</p></caption><colgroup><col style="width:15%;"><col></colgroup><thead><tr><th>ID</th><th>Statement</th></tr></thead><tbody><tr><td>no-registry-values</td><td><div><span class="assertion">The registry values are available.</span></div><div><span class="diagnostic" title="no-registry-values-diagnostic"> The registry values at the path '
<span class="substitution">&lt;sch:value-of select="$registry-base-path"/&gt;</span>' are not present, this configuration is invalid.</span></div><div>context: <code>/o:system-security-plan</code></div><div>test: <code>count($registry/f:fedramp-values/f:value-set) &gt; 0</code></div><div>role: <code>fatal</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td>no-security-sensitivity-level</td><td><div><span class="assertion">[Section C Check 1.a] Sensitivity level is defined.</span></div><div><span class="diagnostic" title="no-security-sensitivity-level-diagnostic"> [Section C Check 1.a] No sensitivity level was found As a result, no more
validation processing can occur.</span></div><div>context: <code>/o:system-security-plan</code></div><div>test: <code>$sensitivity-level != ''</code></div><div>role: <code>fatal</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 2.1 → when the security sensitivity level → is not defined at all → it is invalid.</div><div>FedRAMP note: section-c.1.a</div></td></tr><tr><td>invalid-security-sensitivity-level</td><td><div><span class="assertion">[Section C Check 1.a] Sensitivity level has an allowed
value.</span></div><div><span class="diagnostic" title="invalid-security-sensitivity-level-diagnostic"> [Section C Check 1.a]
<span class="substitution">&lt;sch:value-of select="./name()"/&gt;</span>is an invalid value of '
<span class="substitution">&lt;sch:value-of select="lv:sensitivity-level(/)"/&gt;</span>', not an allowed value of
<span class="substitution">&lt;sch:value-of select="$corrections"/&gt;</span>. No more validation processing can occur.</span></div><div>context: <code>/o:system-security-plan</code></div><div>test: <code>empty($ok-values) or not(exists($corrections))</code></div><div>role: <code>fatal</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP → Section 2.1 → when the security sensitivity level → is set to a value from the official FedRAMP list → it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 2.1 → when the security sensitivity level → is not set to a value from the official FedRAMP list → it is invalid.</div><div>FedRAMP note: section-c.1.a</div></td></tr><tr><td>incomplete-core-implemented-requirements</td><td><div><span class="assertion">[Section C Check 3] This SSP has implemented the most important controls.</span></div><div><span class="diagnostic" title="incomplete-core-implemented-requirements-diagnostic"> [Section C Check 3] This SSP has not implemented the most important
<span class="substitution">&lt;sch:value-of select="count($core-missing)"/&gt;</span>core
<span class="substitution">&lt;sch:value-of select=" if (count($core-missing) = 1) then ' control' else ' controls'"/&gt;</span>:
<span class="substitution">&lt;sch:value-of select="$core-missing/@id"/&gt;</span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation</code></div><div>test: <code>not(exists($core-missing))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when the most important core controls are defined → and these controls do not have implemented requirements → it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when the most important core controls are defined → and these controls do not have implemented requirements → it is invalid.</div><div>FedRAMP note: section-c.3</div></td></tr><tr><td>incomplete-all-implemented-requirements</td><td><div><span class="assertion">[Section C Check 2] This SSP has implemented all required controls.</span></div><div><span class="diagnostic" title="incomplete-all-implemented-requirements-diagnostic"> [Section C Check 2] This SSP has not implemented
<span class="substitution">&lt;sch:value-of select="count($all-missing)"/&gt;</span><span class="substitution">&lt;sch:value-of select=" if (count($all-missing) = 1) then ' control' else ' controls'"/&gt;</span>overall:
<span class="substitution">&lt;sch:value-of select="$all-missing/@id"/&gt;</span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation</code></div><div>test: <code>not(exists($all-missing))</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and all required implementations are not yet complete → it is invalid.</div><div>FedRAMP note: section-c.2</div></td></tr><tr><td>extraneous-implemented-requirements</td><td><div><span class="assertion">[Section C Check 2] This SSP has no extraneous implemented controls.</span></div><div><span class="diagnostic" title="extraneous-implemented-requirements-diagnostic"> [Section C Check 2] This SSP has implemented
<span class="substitution">&lt;sch:value-of select="count($extraneous)"/&gt;</span>extraneous
<span class="substitution">&lt;sch:value-of select=" if (count($extraneous) = 1) then ' control' else ' controls'"/&gt;</span>not needed given the selected profile:
<span class="substitution">&lt;sch:value-of select="$extraneous/@control-id"/&gt;</span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation</code></div><div>test: <code>not(exists($extraneous))</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when no extraneous control is implemented except those required by the profile → it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when an extraneous control not required by the profile is implemented → it is invalid.</div><div>FedRAMP note: section-c.2</div></td></tr><tr><td>invalid-implementation-status</td><td><div><span class="assertion">[Section C Check 2] Implementation status is correct.</span></div><div><span class="diagnostic" title="invalid-implementation-status-diagnostic"> [Section C Check 2] Invalid status '
<span class="substitution">&lt;sch:value-of select="$status"/&gt;</span>' for
<span class="substitution">&lt;sch:value-of select="./@control-id"/&gt;</span>, must be
<span class="substitution">&lt;sch:value-of select="$corrections"/&gt;</span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement</code></div><div>test: <code>not(exists($corrections))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and requirements are implemented → and any control's implemented requirement is defined with an invalid status → it is invalid.</div><div>FedRAMP note: section-c.2</div></td></tr><tr><td>missing-response-points</td><td><div><span class="assertion">[Section C Check 2] This SSP has required response points.</span></div><div><span class="diagnostic" title="missing-response-points-diagnostic"> [Section C Check 2] This SSP has not implemented a statement for each of the
following lettered response points for required controls:
<span class="substitution">&lt;sch:value-of select="$missing/@id"/&gt;</span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement</code></div><div>test: <code>not(exists($missing))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and the profile defines specific response points to address specific control requirements → and response points are properly defined → and response points are missing → it generates an error because missing response points are invalid. → it generates an error because missing response points are invalid.</div><div>FedRAMP note: section-c.2</div></td></tr><tr><td>missing-response-components</td><td><div><span class="assertion">[Section D Checks] Response statements have sufficient
components.</span></div><div><span class="diagnostic" title="missing-response-components-diagnostic"> [Section D Checks] Response statements for
<span class="substitution">&lt;sch:value-of select="./@statement-id"/&gt;</span>must have at least
<span class="substitution">&lt;sch:value-of select="$required-components-count"/&gt;</span><span class="substitution">&lt;sch:value-of select=" if (count($components-count) = 1) then ' component' else ' components'"/&gt;</span>with a description. There are
<span class="substitution">&lt;sch:value-of select="$components-count"/&gt;</span>.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement</code></div><div>test: <code>$components-count &gt;= $required-components-count</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div><div>FedRAMP note: section-d</div></td></tr><tr><td>extraneous-response-description</td><td><div><span class="assertion">[Section D Checks] Response statement does not have a description not within a component.</span></div><div><span class="diagnostic" title="extraneous-response-description-diagnostic"> [Section D Checks] Response statement
<span class="substitution">&lt;sch:value-of select="../@statement-id"/&gt;</span>has a description not within a component. That was previously allowed, but not recommended. It will
soon be syntactically invalid and deprecated.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:description</code></div><div>test: <code>. =&gt; empty()</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have explanatory statement descriptions defined directly in the statement → it generates a warning.</div><div>FedRAMP note: section-d</div></td></tr><tr><td>extraneous-response-remarks</td><td><div><span class="assertion">[Section D Checks] Response statement does not have remarks not within a component.</span></div><div><span class="diagnostic" title="extraneous-response-remarks-diagnostic"> [Section D Checks] Response statement
<span class="substitution">&lt;sch:value-of select="../@statement-id"/&gt;</span>has remarks not within a component. That was previously allowed, but not recommended. It will soon
be syntactically invalid and deprecated.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:remarks</code></div><div>test: <code>. =&gt; empty()</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have explanatory statement remarks defined directly in the statement → it generates a warning.</div><div>FedRAMP note: section-d</div></td></tr><tr><td>invalid-component-match</td><td><div><span class="assertion">[Section D Checks]
Response statement cites a component in the system implementation inventory.</span></div><div><span class="diagnostic" title="invalid-component-match-diagnostic"> [Section D Checks] Response statement
<span class="substitution">&lt;sch:value-of select="../@statement-id"/&gt;</span>with component reference UUID '
<span class="substitution">&lt;sch:value-of select="$component-ref"/&gt;</span>' is not in the system implementation inventory, and cannot be used to define a
control.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component</code></div><div>test: <code>/o:system-security-plan/o:system-implementation/o:component[@uuid = $component-ref] =&gt; exists()</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have a component reference → and it references a component with a valid ID. → it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have a component reference → and it references a component with an ID not previously declared. → and it references a component with an ID and no components are declared. → it generates a warning. → it generates a warning.</div><div>FedRAMP note: section-d</div></td></tr><tr><td>missing-component-description</td><td><div><span class="assertion">[Section D Checks] Response statement has a component which has a required description
node.</span></div><div><span class="diagnostic" title="missing-component-description-diagnostic"> [Section D Checks] Response statement
<span class="substitution">&lt;sch:value-of select="../@statement-id"/&gt;</span>has a component, but that component is missing a required description node.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component</code></div><div>test: <code>./o:description =&gt; exists()</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have explanatory statement in a component reference → and the component reference has a description → it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have explanatory statement in a component reference → and the component reference has no description → it is valid.</div><div>FedRAMP note: section-d</div></td></tr><tr><td>incomplete-response-description</td><td><div><span class="assertion">[Section D Checks] Response statement component description has adequate
length.</span></div><div><span class="diagnostic" title="incomplete-response-description-diagnostic"> [Section D Checks] Response statement component description for
<span class="substitution">&lt;sch:value-of select="../../@statement-id"/&gt;</span>is too short with
<span class="substitution">&lt;sch:value-of select="$description-length"/&gt;</span>characters. It must be
<span class="substitution">&lt;sch:value-of select="$required-length"/&gt;</span>characters long.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component/o:description</code></div><div>test: <code>$description-length &gt;= $required-length</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have explanatory statement descriptions properly defined in a component reference → and it is sufficiently long → it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have explanatory statement descriptions properly defined in a component reference → and it is not sufficiently long → it is invalid.</div><div>FedRAMP note: section-d</div></td></tr><tr><td>incomplete-response-remarks</td><td><div><span class="assertion">[Section D Checks] Response statement component remarks have adequate
length.</span></div><div><span class="diagnostic" title="incomplete-response-remarks-diagnostic"> [Section D Checks] Response statement component remarks for
<span class="substitution">&lt;sch:value-of select="../../@statement-id"/&gt;</span>is too short with
<span class="substitution">&lt;sch:value-of select="$remarks-length"/&gt;</span>characters. It must be
<span class="substitution">&lt;sch:value-of select="$required-length"/&gt;</span>characters long.</span></div><div>context: <code>/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement/o:by-component/o:remarks</code></div><div>test: <code>$remarks-length &gt;= $required-length</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have explanatory statement remarks properly defined in a component reference → and it is sufficiently long → it is valid.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 13 → when control implementations are defined → and implemented requirements have explanatory statement remarks properly defined in a component reference → and it is not sufficiently long → it is invalid.</div><div>FedRAMP note: section-d</div></td></tr><tr><td>incorrect-role-association</td><td><div><span class="assertion">[Section C Check 2] This SSP has defined a responsible party with no extraneous
roles.</span></div><div><span class="diagnostic" title="incorrect-role-association-diagnostic"> [Section C Check 2] This SSP has defined a responsible party with
<span class="substitution">&lt;sch:value-of select="count($extraneous-roles)"/&gt;</span><span class="substitution">&lt;sch:value-of select=" if (count($extraneous-roles) = 1) then ' role' else ' roles'"/&gt;</span>not defined in the role:
<span class="substitution">&lt;sch:value-of select="$extraneous-roles/@role-id"/&gt;</span>.</span></div><div>context: <code>/o:system-security-plan/o:metadata</code></div><div>test: <code>not(exists($extraneous-roles))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP → Section 6 → when responsible party → references a valid role and valid party → role positive case.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 6 → when responsible party → references an invalid role but valid party → references an invalid role and invalid party → role-id referenced is not defined case. → role-id referenced is not defined case.</div><div>FedRAMP note: section-c.6</div></td></tr><tr><td>incorrect-party-association</td><td><div><span class="assertion">[Section C Check 2] This SSP has defined a responsible party with no extraneous
parties.</span></div><div><span class="diagnostic" title="incorrect-party-association-diagnostic"> [Section C Check 2] This SSP has defined a responsible party with
<span class="substitution">&lt;sch:value-of select="count($extraneous-parties)"/&gt;</span><span class="substitution">&lt;sch:value-of select=" if (count($extraneous-parties) = 1) then ' party' else ' parties'"/&gt;</span>is not a defined party:
<span class="substitution">&lt;sch:value-of select="$extraneous-parties/o:party-uuid"/&gt;</span>.</span></div><div>context: <code>/o:system-security-plan/o:metadata</code></div><div>test: <code>not(exists($extraneous-parties))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: For an OSCAL FedRAMP SSP → Section 6 → when responsible party → references a valid role and valid party → party positive case.</div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Section 6 → when responsible party → references a valid role but invalid party → references an invalid role and invalid party → party-uuid referenced is not defined, case. → party-uuid referenced is not defined, case.</div><div>FedRAMP note: section-c.6</div></td></tr><tr><td>resource-uuid-required</td><td><div><span class="assertion">This SSP has back-matter resources each with a UUID.</span></div><div><span class="diagnostic" title="resource-uuid-required-diagnostic"> This SSP includes back-matter resource missing a UUID.</span></div><div>context: <code>/o:system-security-plan/o:back-matter/o:resource</code></div><div>test: <code>./@uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: For an OSCAL FedRAMP SSP → Chapter 15 → when required attachments → specified via back matter resource → has missing required fields → back-matter resource missing uuid attribute.</div><div>FedRAMP note: section-b.?????</div></td></tr><tr><td>resource-base64-available-filenamne</td><td><div><span class="assertion">This base64 has a filename attribute.</span></div><div><span class="diagnostic" title="resource-base64-available-filenamne-diagnostic"> This base64 lacksd a filename attribute.</span></div><div>context: <code>/o:system-security-plan/o:back-matter/o:resource/o:base64</code></div><div>test: <code>./@filename</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div><div>FedRAMP note: section-b.?????</div></td></tr><tr><td>resource-base64-available-media-type</td><td><div><span class="assertion">This base64 has a filename attribute.</span></div><div><span class="diagnostic" title="resource-base64-available-media-type-diagnostic"> This base64 lacksd a media-type attribute.</span></div><div>context: <code>/o:system-security-plan/o:back-matter/o:resource/o:base64</code></div><div>test: <code>./@media-type</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div><div>FedRAMP note: section-b.?????</div></td></tr><tr><td>resource-has-uuid</td><td><div><span class="assertion">A resource must have a uuid attribute.</span></div><div><span class="diagnostic" title="resource-has-uuid-diagnostic"> This resource lacks a uuid attribute.</span></div><div>context: <code>oscal:resource</code></div><div>test: <code>@uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource → has a uuid → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource → lacks a uuid → that is an error</div></td></tr><tr><td>resource-has-title</td><td><div><span class="assertion">A resource should have a title.</span></div><div><span class="diagnostic" title="resource-has-title-diagnostic"> This resource lacks a title.</span></div><div>context: <code>oscal:resource</code></div><div>test: <code>oscal:title</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource → has a title → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource → lacks a title → that is an error</div></td></tr><tr><td>resource-has-rlink</td><td><div><span class="assertion">A resource must have a rlink element</span></div><div><span class="diagnostic" title="resource-has-rlink-diagnostic"> This resource lacks a rlink element.</span></div><div>context: <code>oscal:resource</code></div><div>test: <code>oscal:rlink</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource → has a rlink → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource → lacks a rlink → that is an error</div></td></tr><tr><td>resource-is-referenced</td><td><div><span class="assertion">A resource should be referenced from within the
document.</span></div><div><span class="diagnostic" title="resource-is-referenced-diagnostic"> This resource lacks a reference within the document (but does not).</span></div><div>context: <code>oscal:resource</code></div><div>test: <code>@uuid = (//@href[matches(., '^#')] ! substring-after(., '#'))</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource → is referenced → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource → is not referenced → that is an anomaly</div></td></tr><tr><td>attachment-type-is-valid</td><td><div><span class="assertion">A resource should have an allowed attachment-type property.</span></div><div><span class="diagnostic" title="attachment-type-is-valid-diagnostic"> Found unknown attachment type «
<span class="substitution">&lt;sch:value-of select="@value"/&gt;</span>» in
<span class="substitution">&lt;sch:value-of select=" if (parent::oscal:resource/oscal:title) then concat('"', parent::oscal:resource/oscal:title, '"') else 'untitled'"/&gt;</span>resource.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:prop[@name = 'type']</code></div><div>test: <code>@value = $attachment-types</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource attachment type → is allowed → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when a resource attachment type → is not allowed → that is an error</div></td></tr><tr><td>rlink-has-href</td><td><div><span class="assertion">A resource rlink must have an href attribute.</span></div><div><span class="diagnostic" title="rlink-has-href-diagnostic"> This rlink lacks an href attribute.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:rlink</code></div><div>test: <code>@href</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when an rlink → has an href → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when an rlink → lacks an href → that is correct</div></td></tr><tr><td>has-allowed-media-type</td><td><div><span class="assertion">A media-type attribute must have an allowed value.</span></div><div><span class="diagnostic" title="has-allowed-media-type-diagnostic"> This
<span class="substitution">&lt;sch:value-of select="name(parent::node())"/&gt;</span>has a media-type="
<span class="substitution">&lt;sch:value-of select="current()"/&gt;</span>" which is not in the list of allowed media types. Allowed media types are
<span class="substitution">&lt;sch:value-of select="string-join($media-types, ' ∨ ')"/&gt;</span>.</span></div><div>context: <code>@media-type</code></div><div>test: <code>current() = $media-types</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the media-type attribute → has an allowed value → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the media-type attribute → lacks an allowed value → that is an error</div></td></tr><tr><td>resource-has-base64</td><td><div><span class="assertion">A resource should have a base64 element.</span></div><div><span class="diagnostic" title="resource-has-base64-diagnostic"> This resource should have a base64 element.</span></div><div>context: <code>oscal:back-matter/oscal:resource</code></div><div>test: <code>oscal:base64</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the base64 element → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the base64 element → is missing → that is a warning</div></td></tr><tr><td>resource-base64-cardinality</td><td><div><span class="assertion">A resource must have only one base64 element.</span></div><div><span class="diagnostic" title="resource-base64-cardinality-diagnostic"> This resource must not have more than one base64 element.</span></div><div>context: <code>oscal:back-matter/oscal:resource</code></div><div>test: <code>not(oscal:base64[2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td>base64-has-filename</td><td><div><span class="assertion">A base64 element must have a filename attribute.</span></div><div><span class="diagnostic" title="base64-has-filename-diagnostic"> This base64 must have a filename attribute.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:base64</code></div><div>test: <code>@filename</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the base64 element → has @filename → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the base64 element → lacks @filename → that is an error</div></td></tr><tr><td>base64-has-media-type</td><td><div><span class="assertion">A base64 element must have a media-type attribute.</span></div><div><span class="diagnostic" title="base64-has-media-type-diagnostic"> This base64 must have a media-type attribute.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:base64</code></div><div>test: <code>@media-type</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the base64 element → has @media-type → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the base64 element → lacks @media-type → that is an error</div></td></tr><tr><td>base64-has-content</td><td><div><span class="assertion">A
base64 element must have content.</span></div><div><span class="diagnostic" title="base64-has-content-diagnostic"> This base64 must have content.</span></div><div>context: <code>oscal:back-matter/oscal:resource/oscal:base64</code></div><div>test: <code>matches(normalize-space(), '^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/][AQgw]==|[A-Za-z0-9+/]{2}[AEIMQUYcgkosw048]=)?$')</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the base64 element → has content → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → General: → when the base64 element → lacks content → that is an error</div></td></tr><tr><td>has-fedramp-acronyms</td><td><div><span class="assertion">A
FedRAMP OSCAL SSP must have the FedRAMP Master Acronym and Glossary attached.</span></div><div><span class="diagnostic" title="has-fedramp-acronyms-diagnostic"> This FedRAMP OSCAL SSP lacks the FedRAMP Master Acronym and Glossary.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'fedramp-acronyms']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the FedRAMP Master Acronym and Glossary attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the FedRAMP Master Acronym and Glossary attachment → is absent → that is an error</div></td></tr><tr><td>has-fedramp-citations</td><td><div><span class="assertion">
[Section B Check 3.12] A FedRAMP OSCAL SSP must have the FedRAMP Applicable Laws and Regulations attached.</span></div><div><span class="diagnostic" title="has-fedramp-citations-diagnostic"> This FedRAMP OSCAL SSP lacks the FedRAMP Applicable Laws and
Regulations.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'fedramp-citations']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the FedRAMP Applicable Laws and Regulations attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the FedRAMP Applicable Laws and Regulations attachment → is absent → that is an error</div><div>FedRAMP note: §15 Attachment 12</div></td></tr><tr><td>has-fedramp-logo</td><td><div><span class="assertion">A
FedRAMP OSCAL SSP must have the FedRAMP Logo attached.</span></div><div><span class="diagnostic" title="has-fedramp-logo-diagnostic"> This FedRAMP OSCAL SSP lacks the FedRAMP Logo.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'fedramp-logo']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the FedRAMP logo attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the FedRAMP logo attachment → is absent → that is an error</div></td></tr><tr><td>has-user-guide</td><td><div><span class="assertion">[Section
B Check 3.2] A FedRAMP OSCAL SSP must have a User Guide attached.</span></div><div><span class="diagnostic" title="has-user-guide-diagnostic"> This FedRAMP OSCAL SSP lacks a User Guide.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'user-guide']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the User Guide attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the User Guide attachment → is absent → that is an error</div><div>FedRAMP note: §15 Attachment 2</div></td></tr><tr><td>has-rules-of-behavior</td><td><div><span class="assertion">
[Section B Check 3.5] A FedRAMP OSCAL SSP must have Rules of Behavior.</span></div><div><span class="diagnostic" title="has-rules-of-behavior-diagnostic"> This FedRAMP OSCAL SSP lacks a Rules of Behavior.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'rules-of-behavior']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Rules of Behavior attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Rules of Behavior attachment → is absent → that is an error</div><div>FedRAMP note: §15 Attachment 5</div></td></tr><tr><td>has-information-system-contingency-plan</td><td><div><span class="assertion">
[Section B Check 3.6] A FedRAMP OSCAL SSP must have a Contingency Plan attached.</span></div><div><span class="diagnostic" title="has-information-system-contingency-plan-diagnostic"> This FedRAMP OSCAL SSP lacks a Contingency Plan.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'information-system-contingency-plan']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Contingency Plan attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Contingency Plan attachment → is absent → that is an error</div><div>FedRAMP note: §15 Attachment 6</div></td></tr><tr><td>has-configuration-management-plan</td><td><div><span class="assertion">
[Section B Check 3.7] A FedRAMP OSCAL SSP must have a Configuration Management Plan attached.</span></div><div><span class="diagnostic" title="has-configuration-management-plan-diagnostic"> This FedRAMP OSCAL SSP lacks a Configuration Management
Plan.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'configuration-management-plan']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Configuration Management Plan attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Configuration Management Plan attachment → is absent → that is an error</div><div>FedRAMP note: §15 Attachment 7</div></td></tr><tr><td>has-incident-response-plan</td><td><div><span class="assertion">
[Section B Check 3.8] A FedRAMP OSCAL SSP must have an Incident Response Plan attached.</span></div><div><span class="diagnostic" title="has-incident-response-plan-diagnostic"> This FedRAMP OSCAL SSP lacks an Incident Response Plan.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'incident-response-plan']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Incident Response Plan attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Incident Response Plan attachment → is absent → that is an error</div><div>FedRAMP note: §15 Attachment 8</div></td></tr><tr><td>has-separation-of-duties-matrix</td><td><div><span class="assertion">
[Section B Check 3.11] A FedRAMP OSCAL SSP must have a Separation of Duties Matrix attached.</span></div><div><span class="diagnostic" title="has-separation-of-duties-matrix-diagnostic"> This FedRAMP OSCAL SSP lacks a Separation of Duties Matrix.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code>oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'separation-of-duties-matrix']]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Separation of Duties Matrix attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → when the Separation of Duties Matrix attachment → is absent → that is an error</div><div>FedRAMP note: §15 Attachment 11</div></td></tr><tr><td>has-policy-link</td><td><div><span class="assertion">[Section B Check 3.1] A FedRAMP SSP must incorporate a
policy document for each of the 17 NIST SP 800-54 Revision 4 control families.</span></div><div><span class="diagnostic" title="has-policy-link-diagnostic"> <span class="substitution">&lt;sch:value-of select="local-name()"/&gt;</span><span class="substitution">&lt;sch:value-of select="@control-id"/&gt;</span><span class="substitution">&lt;sch:span class="message"lacks policy reference(s) (via by-component link)&lt;/&gt;</span>.</span></div><div>context: <code>oscal:implemented-requirement[matches(@control-id, '^[a-z]{2}-1$')]</code></div><div>test: <code>descendant::oscal:by-component/oscal:link[@rel = 'policy']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → Policy and Procedure Attachments: → for the policy facet of P&amp;P controls, → when the policy link to the resource declaring the policy document attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → Policy and Procedure Attachments: → for the policy facet of P&amp;P controls, → when the policy link to the resource declaring the policy document attachment → is absent → that is an error</div></td></tr><tr><td>has-policy-attachment-resource</td><td><div><span class="assertion">[Section B Check 3.1] A
FedRAMP SSP must incorporate a policy document for each of the 17 NIST SP 800-54 Revision 4 control families.</span></div><div><span class="diagnostic" title="has-policy-attachment-resource-diagnostic"> <span class="substitution">&lt;sch:value-of select="local-name()"/&gt;</span><span class="substitution">&lt;sch:value-of select="@control-id"/&gt;</span><span class="substitution">&lt;sch:span class="message"lacks policy attachment resource(s)&lt;/&gt;</span><span class="substitution">&lt;sch:value-of select="string-join($policy-hrefs, ', ')"/&gt;</span>.</span></div><div>context: <code>oscal:implemented-requirement[matches(@control-id, '^[a-z]{2}-1$')]</code></div><div>test: <code> every $ref in $policy-hrefs satisfies exists(//oscal:resource[oscal:prop[@name = 'type' and @value = 'policy']][@uuid = $ref])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → Policy and Procedure Attachments: → for the policy facet of P&amp;P controls, → when the policy attachment resource → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → Policy and Procedure Attachments: → for the policy facet of P&amp;P controls, → when the policy attachment resource → is absent → that is an error</div></td></tr><tr><td>has-procedure-link</td><td><div><span class="assertion">[Section B Check 3.1] A FedRAMP SSP must incorporate a
procedure document for each of the 17 NIST SP 800-54 Revision 4 control families.</span></div><div><span class="diagnostic" title="has-procedure-link-diagnostic"> <span class="substitution">&lt;sch:value-of select="local-name()"/&gt;</span><span class="substitution">&lt;sch:value-of select="@control-id"/&gt;</span><span class="substitution">&lt;sch:span class="message"lacks procedure reference(s) (via by-component link)&lt;/&gt;</span>.</span></div><div>context: <code>oscal:implemented-requirement[matches(@control-id, '^[a-z]{2}-1$')]</code></div><div>test: <code>descendant::oscal:by-component/oscal:link[@rel = 'procedure']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → Policy and Procedure Attachments: → for the procedure facet of P&amp;P controls, → when the procedure link to the resource declaring the procedure document attachment → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → Policy and Procedure Attachments: → for the procedure facet of P&amp;P controls, → when the procedure link to the resource declaring the procedure document attachment → is absent → that is an error</div></td></tr><tr><td>has-procedure-attachment-resource</td><td><div><span class="assertion">[Section B Check 3.1]
A FedRAMP SSP must incorporate a procedure document for each of the 17 NIST SP 800-54 Revision 4 control families.</span></div><div><span class="diagnostic" title="has-procedure-attachment-resource-diagnostic"> <span class="substitution">&lt;sch:value-of select="local-name()"/&gt;</span><span class="substitution">&lt;sch:value-of select="@control-id"/&gt;</span><span class="substitution">&lt;sch:span class="message"lacks procedure attachment resource(s)&lt;/&gt;</span><span class="substitution">&lt;sch:value-of select="string-join($procedure-hrefs, ', ')"/&gt;</span>.</span></div><div>context: <code>oscal:implemented-requirement[matches(@control-id, '^[a-z]{2}-1$')]</code></div><div>test: <code> (: targets of links exist in the document :) every $ref in $procedure-hrefs satisfies exists(//oscal:resource[oscal:prop[@name = 'type' and @value = 'procedure']][@uuid = $ref])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → Policy and Procedure Attachments: → for the procedure facet of P&amp;P controls, → when the procedure attachment resource → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Attachments → Required attachments: → Policy and Procedure Attachments: → for the procedure facet of P&amp;P controls, → when the procedure attachment resource → is absent → that is an error</div></td></tr><tr><td>has-privacy-poc-role</td><td><div><span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL SSP
must incorporate a Privacy Point of Contact role.</span></div><div><span class="diagnostic" title="has-privacy-poc-role-diagnostic"> This FedRAMP OSCAL SSP lacks a Privacy Point of Contact role.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>/oscal:system-security-plan/oscal:metadata/oscal:role[@id = 'privacy-poc']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-poc role → is defined → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-poc role → is missing → that is an error</div></td></tr><tr><td>has-responsible-party-privacy-poc-role</td><td><div><span class="assertion">[Section B Check 3.4] A
FedRAMP OSCAL SSP must declare a Privacy Point of Contact responsible party role reference.</span></div><div><span class="diagnostic" title="has-responsible-party-privacy-poc-role-diagnostic"> This FedRAMP OSCAL SSP lacks a Privacy Point of Contact responsible
party role reference.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>/oscal:system-security-plan/oscal:metadata/oscal:responsible-party[@role-id = 'privacy-poc']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-poc responsible-party → is defined → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-poc responsible-party → is missing → that is an error</div></td></tr><tr><td>has-responsible-privacy-poc-party-uuid</td><td><div><span class="assertion">[Section
B Check 3.4] A FedRAMP OSCAL SSP must declare a Privacy Point of Contact responsible party role reference identifying the
party by UUID.</span></div><div><span class="diagnostic" title="has-responsible-privacy-poc-party-uuid-diagnostic"> This FedRAMP OSCAL SSP lacks a Privacy Point of Contact responsible
party role reference identifying the party by UUID.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>/oscal:system-security-plan/oscal:metadata/oscal:responsible-party[@role-id = 'privacy-poc']/oscal:party-uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-poc responsible-party uuid → is declared → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-poc responsible-party uuid → is missing → that is an error</div></td></tr><tr><td>has-privacy-poc</td><td><div><span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL SSP
must define a Privacy Point of Contact.</span></div><div><span class="diagnostic" title="has-privacy-poc-diagnostic"> This FedRAMP OSCAL SSP lacks a Privacy Point of Contact.</span></div><div>context: <code>oscal:metadata</code></div><div>test: <code>/oscal:system-security-plan/oscal:metadata/oscal:party[@uuid = $poc-uuid]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-poc → is declared → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-poc → is missing → that is an error</div></td></tr><tr><td>has-correct-yes-or-no-answer</td><td><div><span class="assertion">[Section B Check 3.4] A Privacy Threshold Analysis (PTA)/Privacy Impact Analysis
(PIA) qualifying question must have an allowed answer.</span></div><div><span class="diagnostic" title="has-correct-yes-or-no-answer-diagnostic"> This property has an incorrect value: should be "yes" or "no".</span></div><div>context: <code>oscal:prop[@name = 'privacy-sensitive'] | oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and matches(@name, '^pta-\d$')]</code></div><div>test: <code>current()/@value = ('yes', 'no')</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-sensitive designation value → is yes or no → when the PTA/PIA qualifying question → #1 → is properly answered → #2 → is properly answered → #3 → is properly answered → #4 → is properly answered → that is correct → that is correct → that is correct → that is correct → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-sensitive designation value → is not yes or no → when the PTA/PIA qualifying question → #1 → is not properly answered → #2 → is not properly answered → #3 → is not properly answered → #4 → is not properly answered → that is an error → that is an error → that is an error → that is an error → that is an error</div></td></tr><tr><td>has-privacy-sensitive-designation</td><td><div><span class="assertion">[Section B Check 3.4] A FedRAMP OSCAL SSP must have a privacy-sensitive
designation.</span></div><div><span class="diagnostic" title="has-privacy-sensitive-designation-diagnostic"> The privacy-sensitive designation is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@name = 'privacy-sensitive']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-sensitive designation → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the privacy-sensitive designation → is absent → that is an error</div></td></tr><tr><td>has-pta-question-1</td><td><div><span class="assertion">[Section B Check 3.4] A
FedRAMP OSCAL SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question
#1.</span></div><div><span class="diagnostic" title="has-pta-question-1-diagnostic"> The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #1
is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-1']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the PTA/PIA qualifying question → #1 → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the PTA/PIA qualifying question → #1 → is absent → that is an error</div></td></tr><tr><td>has-pta-question-2</td><td><div><span class="assertion">[Section B Check 3.4] A
FedRAMP OSCAL SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question
#2.</span></div><div><span class="diagnostic" title="has-pta-question-2-diagnostic"> The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #2
is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-2']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the PTA/PIA qualifying question → #2 → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the PTA/PIA qualifying question → #2 → is absent → that is an error</div></td></tr><tr><td>has-pta-question-3</td><td><div><span class="assertion">[Section B Check 3.4] A
FedRAMP OSCAL SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question
#3.</span></div><div><span class="diagnostic" title="has-pta-question-3-diagnostic"> The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #3
is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-3']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the PTA/PIA qualifying question → #3 → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the PTA/PIA qualifying question → #3 → is absent → that is an error</div></td></tr><tr><td>has-pta-question-4</td><td><div><span class="assertion">[Section B Check 3.4] A
FedRAMP OSCAL SSP must have Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question
#4.</span></div><div><span class="diagnostic" title="has-pta-question-4-diagnostic"> The Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA) qualifying question #4
is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-4']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the PTA/PIA qualifying question → #4 → is present → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the PTA/PIA qualifying question → #4 → is absent → that is an error</div></td></tr><tr><td>has-all-pta-questions</td><td><div><span class="assertion">[Section B Check
3.4] A FedRAMP OSCAL SSP must have all four PTA questions.</span></div><div><span class="diagnostic" title="has-all-pta-questions-diagnostic"> One or more of the four PTA questions is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code> every $name in ('pta-1', 'pta-2', 'pta-3', 'pta-4') satisfies exists(oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = $name])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td>has-correct-pta-question-cardinality</td><td><div><span class="assertion">[Section B Check
3.4] A FedRAMP OSCAL SSP must have no duplicate PTA questions.</span></div><div><span class="diagnostic" title="has-correct-pta-question-cardinality-diagnostic"> One or more of the four PTA questions is a duplicate.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code> not(some $name in ('pta-1', 'pta-2', 'pta-3', 'pta-4') satisfies exists(oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = $name][2]))</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td>has-sorn</td><td><div><span class="assertion">
[Section B Check 3.4] A FedRAMP OSCAL SSP may have a SORN ID.</span></div><div><span class="diagnostic" title="has-sorn-diagnostic"> The SORN ID is missing.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-characteristics/oscal:system-information</code></div><div>test: <code>/oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'pta-4' and @value = 'yes'] and oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and @name = 'sorn-id' and @value != '']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the PTA/PIA qualifying question #4 is answered affirmatively → and the SORN ID is provided → and the SORN ID is not provided → that is correct → that is an error</div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td>has-pia</td><td><div><span class="assertion">
[Section B Check 3.4] This FedRAMP OSCAL SSP must incorporate a Privacy Impact Analysis.</span></div><div><span class="diagnostic" title="has-pia-diagnostic"> This FedRAMP OSCAL SSP lacks a Privacy Impact Analysis.</span></div><div>context: <code>oscal:back-matter</code></div><div>test: <code> every $answer in //oscal:system-information/oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'pta' and matches(@name, '^pta-\d$')] satisfies $answer = 'no' or oscal:resource[oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'type' and @value = 'pia']] (: a PIA is attached :)</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the Privacy Impact Assessment → is declared → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Privacy Components → when the Privacy Impact Assessment → is missing → that is an error</div></td></tr><tr><td>has-CMVP-validation</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must
incorporate one or more FIPS 140 validated modules.</span></div><div><span class="diagnostic" title="has-CMVP-validation-diagnostic"> This FedRAMP OSCAL SSP does not declare one or more FIPS 140 validated
modules.</span></div><div>context: <code>oscal:system-implementation</code></div><div>test: <code>oscal:component[@type = 'validation'] or oscal:inventory-item[@type = 'validation']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a system-implementation → has a CMVP validation component → has a CMVP validation inventory-item → that is correct → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a system-implementation → lacks a CMVP validation component → lacks a CMVP validation inventory-item → that is an error → that is an error</div></td></tr><tr><td>has-CMVP-validation-reference</td><td><div><span class="assertion">A validation component or inventory-item must have a validation-reference
property.</span></div><div><span class="diagnostic" title="has-CMVP-validation-reference-diagnostic"> This validation component or inventory-item lacks a validation-reference
property.</span></div><div>context: <code>oscal:component[@type = 'validation'] | oscal:inventory-item[@type = 'validation']</code></div><div>test: <code>oscal:prop[@name = 'validation-reference']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation component → has a validation-reference property → when a CMVP validation inventory-item → has a validation-reference property → that is correct → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation component → lacks a validation-reference property → when a CMVP validation inventory-item → lacks a validation-reference property → that is an error → that is an error</div></td></tr><tr><td>has-CMVP-validation-details</td><td><div><span class="assertion">A validation component or inventory-item must have a validation-details
link.</span></div><div><span class="diagnostic" title="has-CMVP-validation-details-diagnostic"> This validation component or inventory-item lacks a validation-details
link.</span></div><div>context: <code>oscal:component[@type = 'validation'] | oscal:inventory-item[@type = 'validation']</code></div><div>test: <code>oscal:link[@rel = 'validation-details']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation component → has a validation-details property → when a CMVP validation inventory-item → has a validation-details property → that is correct → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation component → lacks a validation-details property → when a CMVP validation inventory-item → lacks a validation-details property → that is an error → that is an error</div></td></tr><tr><td>has-credible-CMVP-validation-reference</td><td><div><span class="assertion">A validation-reference property must provide a CMVP certificate number.</span></div><div><span class="diagnostic" title="has-credible-CMVP-validation-reference-diagnostic"> This validation-reference property does not resemble a CMVP
certificate number.</span></div><div>context: <code>oscal:prop[@name = 'validation-reference']</code></div><div>test: <code>matches(@value, '^\d{3,4}$')</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation-reference → is credible → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation-reference → is not credible → that is an error</div></td></tr><tr><td>has-consonant-CMVP-validation-reference</td><td><div><span class="assertion">A validation-reference
property must be in accord with its sibling validation-details href.</span></div><div><span class="diagnostic" title="has-consonant-CMVP-validation-reference-diagnostic"> This validation-reference property does not match its sibling
validation-details href.</span></div><div>context: <code>oscal:prop[@name = 'validation-reference']</code></div><div>test: <code>@value = tokenize(following-sibling::oscal:link[@rel = 'validation-details']/@href,'/')[last()]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation-reference → is consonant → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation-reference → is not consonant → that is an error</div></td></tr><tr><td>has-credible-CMVP-validation-details</td><td><div><span class="assertion">A
validation-details link must refer to a NIST CMVP certificate detail page.</span></div><div><span class="diagnostic" title="has-credible-CMVP-validation-details-diagnostic"> This validation-details link href attribute does not resemble a CMVP
certificate URL.</span></div><div>context: <code>oscal:link[@rel = 'validation-details']</code></div><div>test: <code>matches(@href, '^https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/\d{3,4}$')</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation-details → is credible → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation-details → is not credible → that is an error</div></td></tr><tr><td>has-consonant-CMVP-validation-details</td><td><div><span class="assertion">A
validation-details link must be in accord with its sibling validation-reference.</span></div><div><span class="diagnostic" title="has-consonant-CMVP-validation-details-diagnostic"> This validation-details link href attribute does not match its sibling
validation-reference value.</span></div><div>context: <code>oscal:link[@rel = 'validation-details']</code></div><div>test: <code>tokenize(@href, '/')[last()] = preceding-sibling::oscal:prop[@name = 'validation-reference']/@value</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation-details → is consonant → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 140 validation → when a CMVP validation-details → is not consonant → that is an error</div></td></tr><tr><td>has-security-sensitivity-level</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must specify a FIPS 199 categorization.</span></div><div><span class="diagnostic" title="has-security-sensitivity-level-diagnostic"> This FedRAMP OSCAL SSP lacks a FIPS 199 categorization.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:security-sensitivity-level</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a system-characteristics → has security-sensitivity-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a system-characteristics → lacks security-sensitivity-level → that is an error</div></td></tr><tr><td>has-security-impact-level</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must specify a security impact level.</span></div><div><span class="diagnostic" title="has-security-impact-level-diagnostic"> This FedRAMP OSCAL SSP lacks a security impact level.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:security-impact-level</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a system-characteristics → has security-impact-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a system-characteristics → lacks security-impact-level → that is an error</div></td></tr><tr><td>has-allowed-security-sensitivity-level</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must specify an allowed
security-sensitivity-level.</span></div><div><span class="diagnostic" title="has-allowed-security-sensitivity-level-diagnostic"> Invalid security-sensitivity-level "
<span class="substitution">&lt;sch:value-of select="."/&gt;</span>". It must have one of the following
<span class="substitution">&lt;sch:value-of select="count($security-sensitivity-levels)"/&gt;</span>values:
<span class="substitution">&lt;sch:value-of select="string-join($security-sensitivity-levels, ' ∨ ')"/&gt;</span>.</span></div><div>context: <code>oscal:security-sensitivity-level</code></div><div>test: <code>current() = $security-sensitivity-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-sensitivity-level → has an allowed value → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-sensitivity-level → lacks an allowed value → that is an error</div></td></tr><tr><td>has-security-objective-confidentiality</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must specify a confidentiality security
objective.</span></div><div><span class="diagnostic" title="has-security-objective-confidentiality-diagnostic"> This FedRAMP OSCAL SSP lacks a confidentiality security
objective.</span></div><div>context: <code>oscal:security-impact-level</code></div><div>test: <code>oscal:security-objective-confidentiality</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-impact-level → has a security-objective-confidentiality → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-impact-level → lacks a security-objective-confidentiality → that is an error</div></td></tr><tr><td>has-security-objective-integrity</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must specify an integrity security objective.</span></div><div><span class="diagnostic" title="has-security-objective-integrity-diagnostic"> This FedRAMP OSCAL SSP lacks an integrity security
objective.</span></div><div>context: <code>oscal:security-impact-level</code></div><div>test: <code>oscal:security-objective-integrity</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-impact-level → has a security-objective-integrity → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-impact-level → lacks a security-objective-integrity → that is an error</div></td></tr><tr><td>has-security-objective-availability</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must specify an availability security
objective.</span></div><div><span class="diagnostic" title="has-security-objective-availability-diagnostic"> This FedRAMP OSCAL SSP lacks an availability security
objective.</span></div><div>context: <code>oscal:security-impact-level</code></div><div>test: <code>oscal:security-objective-availability</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-impact-level → has a security-objective-availability → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-impact-level → lacks a security-objective-availability → that is an error</div></td></tr><tr><td>has-allowed-security-objective-value</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must specify an allowed security objective
value.</span></div><div><span class="diagnostic" title="has-allowed-security-objective-value-diagnostic"> Invalid
<span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>"
<span class="substitution">&lt;sch:value-of select="."/&gt;</span>". It must have one of the following
<span class="substitution">&lt;sch:value-of select="count($security-objective-levels)"/&gt;</span>values:
<span class="substitution">&lt;sch:value-of select="string-join($security-objective-levels, ' ∨ ')"/&gt;</span>.</span></div><div>context: <code>oscal:security-objective-confidentiality | oscal:security-objective-integrity | oscal:security-objective-availability</code></div><div>test: <code>current() = $security-objective-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-objective → has an allowed security objective value → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP FIPS 199 Categorization → when a security-objective → lacks an allowed security objective value → that is an error</div></td></tr><tr><td>system-information-has-information-type</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must specify at least one information-type.</span></div><div><span class="diagnostic" title="system-information-has-information-type-diagnostic"> A FedRAMP OSCAL SSP lacks at least one
information-type.</span></div><div>context: <code>oscal:system-information</code></div><div>test: <code>oscal:information-type</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a system-information → has an information-type → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a system-information → lacks an information-type → that is an error</div></td></tr><tr><td>information-type-has-title</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type must have a title.</span></div><div><span class="diagnostic" title="information-type-has-title-diagnostic"> A FedRAMP OSCAL SSP information-type lacks a title.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:title</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → has a title → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → lacks title → that is an error</div></td></tr><tr><td>information-type-has-description</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type must have a description.</span></div><div><span class="diagnostic" title="information-type-has-description-diagnostic"> A FedRAMP OSCAL SSP information-type lacks a description.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:description</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → has a description → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → lacks description → that is an error</div></td></tr><tr><td>information-type-has-categorization</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type must have at least one categorization.</span></div><div><span class="diagnostic" title="information-type-has-categorization-diagnostic"> A FedRAMP OSCAL SSP information-type lacks at least one
categorization.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:categorization</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → has a categorization → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → lacks categorization → that is an error</div></td></tr><tr><td>information-type-has-confidentiality-impact</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type must have a confidentiality-impact.</span></div><div><span class="diagnostic" title="information-type-has-confidentiality-impact-diagnostic"> A FedRAMP OSCAL SSP information-type lacks a
confidentiality-impact.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:confidentiality-impact</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → has a confidentiality-impact → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → lacks confidentiality-impact → that is an error</div></td></tr><tr><td>information-type-has-integrity-impact</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type must have a integrity-impact.</span></div><div><span class="diagnostic" title="information-type-has-integrity-impact-diagnostic"> A FedRAMP OSCAL SSP information-type lacks a
integrity-impact.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:integrity-impact</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → has an integrity-impact → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → lacks integrity-impact → that is an error</div></td></tr><tr><td>information-type-has-availability-impact</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type must have a availability-impact.</span></div><div><span class="diagnostic" title="information-type-has-availability-impact-diagnostic"> A FedRAMP OSCAL SSP information-type lacks a
availability-impact.</span></div><div>context: <code>oscal:information-type</code></div><div>test: <code>oscal:availability-impact</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → has an availability-impact → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when an information-type → lacks availability-impact → that is an error</div></td></tr><tr><td>categorization-has-system-attribute</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type categorization must have a system attribute.</span></div><div><span class="diagnostic" title="categorization-has-system-attribute-diagnostic"> A FedRAMP OSCAL SSP information-type categorization lacks a system
attribute.</span></div><div>context: <code>oscal:categorization</code></div><div>test: <code>@system</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a categorization → has a system attribute → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a categorization → lacks a system attribute → that is an error</div></td></tr><tr><td>categorization-has-correct-system-attribute</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type categorization must have a
correct system attribute.</span></div><div><span class="diagnostic" title="categorization-has-correct-system-attribute-diagnostic"> A FedRAMP OSCAL SSP information-type categorization lacks a
correct system attribute. The correct value is "https://doi.org/10.6028/NIST.SP.800-60v2r1".</span></div><div>context: <code>oscal:categorization</code></div><div>test: <code>@system = 'https://doi.org/10.6028/NIST.SP.800-60v2r1'</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a categorization → has a correct system attribute → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a categorization → lacks a correct system attribute → that is an error</div></td></tr><tr><td>categorization-has-information-type-id</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type categorization must have at least one
information-type-id.</span></div><div><span class="diagnostic" title="categorization-has-information-type-id-diagnostic"> A FedRAMP OSCAL SSP information-type categorization lacks at least one
information-type-id.</span></div><div>context: <code>oscal:categorization</code></div><div>test: <code>oscal:information-type-id</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a categorization → has an information-type-id → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a categorization → lacks information-type-id → that is an error</div></td></tr><tr><td>has-allowed-information-type-id</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type-id must have a SP 800-60v2r1
identifier.</span></div><div><span class="diagnostic" title="has-allowed-information-type-id-diagnostic"> A FedRAMP OSCAL SSP information-type-id lacks a SP 800-60v2r1
identifier.</span></div><div>context: <code>oscal:information-type-id</code></div><div>test: <code>current()[. = $information-types]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a categorization → has an allowed information-type-id → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a categorization → lacks an allowed information-type-id → that is an error</div></td></tr><tr><td>cia-impact-has-base</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact must have a base
element.</span></div><div><span class="diagnostic" title="cia-impact-has-base-diagnostic"> A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact
lacks a base element.</span></div><div>context: <code>oscal:confidentiality-impact | oscal:integrity-impact | oscal:availability-impact</code></div><div>test: <code>oscal:base</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a information-type confidentiality-, integrity-, or availability-impact → has a base → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a information-type confidentiality-, integrity-, or availability-impact → lacks base → that is an error</div></td></tr><tr><td>cia-impact-has-selected</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact must have a
selected element.</span></div><div><span class="diagnostic" title="cia-impact-has-selected-diagnostic"> A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or
availability-impact lacks a selected element.</span></div><div>context: <code>oscal:confidentiality-impact | oscal:integrity-impact | oscal:availability-impact</code></div><div>test: <code>oscal:selected</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a information-type confidentiality-, integrity-, or availability-impact → has a selected → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a information-type confidentiality-, integrity-, or availability-impact → lacks selected → that is an error</div></td></tr><tr><td>cia-impact-has-approved-fips-categorization</td><td><div><span class="assertion">A FedRAMP OSCAL SSP information-type confidentiality-, integrity-, or availability-impact base or
select element must have an approved value.</span></div><div><span class="diagnostic" title="cia-impact-has-approved-fips-categorization-diagnostic"> A FedRAMP OSCAL SSP information-type confidentiality-,
integrity-, or availability-impact base or select element lacks an approved value.</span></div><div>context: <code>oscal:base | oscal:selected</code></div><div>test: <code>. = $fips-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a information-type confidentiality-, integrity-, or availability-impact → base element → has an approved value → selected element → has an approved value → that is correct → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP SP 800-60v2r1 Information Types → when a information-type confidentiality-, integrity-, or availability-impact → base element → lacks an approved value → selected element → lacks an approved value → that is an error → that is an error</div></td></tr><tr><td>has-security-eauth-level</td><td><div><span class="assertion">
[Section B Check 3.3] A FedRAMP OSCAL SSP must have a Digital Identity Determination property.</span></div><div><span class="diagnostic" title="has-security-eauth-level-diagnostic"> This FedRAMP OSCAL SSP lacks a Digital Identity Determination
property.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'security-eauth' and @name = 'security-eauth-level']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → has a security-eauth-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → lacks a security-eauth-level → that is an error</div></td></tr><tr><td>has-identity-assurance-level</td><td><div><span class="assertion">[Section B Check 3.3] A FedRAMP OSCAL SSP may have a Digital Identity
Determination identity-assurance-level property.</span></div><div><span class="diagnostic" title="has-identity-assurance-level-diagnostic"> A FedRAMP OSCAL SSP may lack a Digital Identity Determination
identity-assurance-level property.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'identity-assurance-level']</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → has a identity-assurance-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → lacks a identity-assurance-level → that is acceptable</div></td></tr><tr><td>has-authenticator-assurance-level</td><td><div><span class="assertion">[Section B Check 3.3] A FedRAMP OSCAL SSP may have a Digital
Identity Determination authenticator-assurance-level property.</span></div><div><span class="diagnostic" title="has-authenticator-assurance-level-diagnostic"> A FedRAMP OSCAL SSP may lack a Digital Identity Determination
authenticator-assurance-level property.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'authenticator-assurance-level']</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → has a authenticator-assurance-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → lacks a authenticator-assurance-level → that is acceptable</div></td></tr><tr><td>has-federation-assurance-level</td><td><div><span class="assertion">[Section B Check 3.3] A FedRAMP OSCAL SSP may have a Digital Identity
Determination federation-assurance-level property.</span></div><div><span class="diagnostic" title="has-federation-assurance-level-diagnostic"> A FedRAMP OSCAL SSP may lack a Digital Identity Determination
federation-assurance-level property.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@name = 'federation-assurance-level']</code></div><div>role: <code>information</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → has a federation-assurance-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → lacks a federation-assurance-level → that is acceptable</div></td></tr><tr><td>has-allowed-security-eauth-level</td><td><div><span class="assertion">[Section B Check 3.3] A FedRAMP OSCAL SSP must have a Digital Identity Determination
property with an allowed value.</span></div><div><span class="diagnostic" title="has-allowed-security-eauth-level-diagnostic"> This FedRAMP OSCAL SSP lacks a Digital Identity Determination property with
an allowed value.</span></div><div>context: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @class = 'security-eauth' and @name = 'security-eauth-level']</code></div><div>test: <code>@value = $security-eauth-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → has an allowed security-eauth-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → lacks an allowed security-eauth-level → that is an error</div></td></tr><tr><td>has-allowed-identity-assurance-level</td><td><div><span class="assertion">[Section B Check 3.3] A FedRAMP OSCAL SSP should have an allowed Digital Identity
Determination identity-assurance-level property.</span></div><div><span class="diagnostic" title="has-allowed-identity-assurance-level-diagnostic"> A FedRAMP OSCAL SSP may lack an allowed Digital Identity Determination
identity-assurance-level property.</span></div><div>context: <code>oscal:prop[@name = 'identity-assurance-level']</code></div><div>test: <code>@value = $identity-assurance-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → has an allowed identity-assurance-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → lacks an allowed identity-assurance-level → that is an error</div></td></tr><tr><td>has-allowed-authenticator-assurance-level</td><td><div><span class="assertion">[Section B Check 3.3] A FedRAMP OSCAL SSP should have an allowed Digital
Identity Determination authenticator-assurance-level property.</span></div><div><span class="diagnostic" title="has-allowed-authenticator-assurance-level-diagnostic"> A FedRAMP OSCAL SSP may lack an allowed Digital Identity
Determination authenticator-assurance-level property.</span></div><div>context: <code>oscal:prop[@name = 'authenticator-assurance-level']</code></div><div>test: <code>@value = $authenticator-assurance-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → has an allowed authenticator-assurance-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → lacks an allowed authenticator-assurance-level → that is an error</div></td></tr><tr><td>has-allowed-federation-assurance-level</td><td><div><span class="assertion">[Section B Check 3.3] A FedRAMP OSCAL SSP should have an allowed Digital
Identity Determination federation-assurance-level property.</span></div><div><span class="diagnostic" title="has-allowed-federation-assurance-level-diagnostic"> A FedRAMP OSCAL SSP may lack an allowed Digital Identity Determination
federation-assurance-level property.</span></div><div>context: <code>oscal:prop[@name = 'federation-assurance-level']</code></div><div>test: <code>@value = $federation-assurance-levels</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → has an allowed federation-assurance-level → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP Digital Identity Determination → when a system-characteristics → lacks an allowed federation-assurance-level → that is an error</div></td></tr><tr><td>has-inventory-items</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must incorporate inventory-item elements.</span></div><div><span class="diagnostic" title="has-inventory-items-diagnostic"> This FedRAMP OSCAL SSP lacks inventory-item elements.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-implementation</code></div><div>test: <code>oscal:inventory-item</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the system-implementation → has inventory items → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the system-implementation → lacks inventory items → that is an error</div></td></tr><tr><td>has-unique-asset-id</td><td><div><span class="assertion">An asset-id must be unique.</span></div><div><span class="diagnostic" title="has-unique-asset-id-diagnostic"> This asset id
<span class="substitution">&lt;sch:value-of select="@asset-id"/&gt;</span>is not unique. An asset id must be unique within the scope of a FedRAMP OSCAL SSP
document.</span></div><div>context: <code>oscal:prop[@name = 'asset-id']</code></div><div>test: <code>count(//oscal:prop[@name = 'asset-id'][@value = current()/@value]) = 1</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → asset-id must be unique. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → asset-id must be unique. → negative → error</div></td></tr><tr><td>has-allowed-asset-type</td><td><div><span class="assertion">An asset-type property must have an allowed value.</span></div><div><span class="diagnostic" title="has-allowed-asset-type-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>should have a FedRAMP asset type
<span class="substitution">&lt;sch:value-of select="string-join($asset-types, ' ∨ ')"/&gt;</span>(not "
<span class="substitution">&lt;sch:value-of select="@value"/&gt;</span>").</span></div><div>context: <code>oscal:prop[@name = 'asset-type']</code></div><div>test: <code>@value = $asset-types</code></div><div>role: <code>warning</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → asset-type property has an allowed value. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → asset-type property has an allowed value. → negative → error</div></td></tr><tr><td>has-allowed-virtual</td><td><div><span class="assertion">A virtual property must have an allowed value.</span></div><div><span class="diagnostic" title="has-allowed-virtual-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>must have an allowed value
<span class="substitution">&lt;sch:value-of select="string-join($virtuals, ' ∨ ')"/&gt;</span>(not "
<span class="substitution">&lt;sch:value-of select="@value"/&gt;</span>").</span></div><div>context: <code>oscal:prop[@name = 'virtual']</code></div><div>test: <code>@value = $virtuals</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → virtual property has an allowed value. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → virtual property has an allowed value. → negative → error</div></td></tr><tr><td>has-allowed-public</td><td><div><span class="assertion">A public property must have an allowed value.</span></div><div><span class="diagnostic" title="has-allowed-public-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>must have an allowed value
<span class="substitution">&lt;sch:value-of select="string-join($publics, ' ∨ ')"/&gt;</span>(not "
<span class="substitution">&lt;sch:value-of select="@value"/&gt;</span>").</span></div><div>context: <code>oscal:prop[@name = 'public']</code></div><div>test: <code>@value = $publics</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → public property has an allowed value. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → public property has an allowed value. → negative → error</div></td></tr><tr><td>has-allowed-allows-authenticated-scan</td><td><div><span class="assertion">An allows-authenticated-scan property has an allowed value.</span></div><div><span class="diagnostic" title="has-allowed-allows-authenticated-scan-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>must have an allowed value
<span class="substitution">&lt;sch:value-of select="string-join($allows-authenticated-scans, ' ∨ ')"/&gt;</span>(not "
<span class="substitution">&lt;sch:value-of select="@value"/&gt;</span>").</span></div><div>context: <code>oscal:prop[@name = 'allows-authenticated-scan']</code></div><div>test: <code>@value = $allows-authenticated-scans</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → allows-authenticated-scan property has an allowed value. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → allows-authenticated-scan property has an allowed value. → negative → error</div></td></tr><tr><td>has-allowed-is-scanned</td><td><div><span class="assertion">is-scanned property must have an allowed value.</span></div><div><span class="diagnostic" title="has-allowed-is-scanned-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>must have an allowed value
<span class="substitution">&lt;sch:value-of select="string-join($is-scanneds, ' ∨ ')"/&gt;</span>(not "
<span class="substitution">&lt;sch:value-of select="@value"/&gt;</span>").</span></div><div>context: <code>oscal:prop[@name = 'is-scanned']</code></div><div>test: <code>@value = $is-scanneds</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → is-scanned property has an allowed value. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → is-scanned property has an allowed value. → negative → error</div></td></tr><tr><td>inventory-item-has-allowed-scan-type</td><td><div><span class="assertion">A scan-type property must have an allowed value.</span></div><div><span class="diagnostic" title="inventory-item-has-allowed-scan-type-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>must have an allowed value
<span class="substitution">&lt;sch:value-of select="string-join($scan-types, ' ∨ ')"/&gt;</span>(not "
<span class="substitution">&lt;sch:value-of select="@value"/&gt;</span>").</span></div><div>context: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'scan-type']</code></div><div>test: <code>@value = $scan-types</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has a scan-type property → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → lacks a scan-type property → that is an error</div></td></tr><tr><td>component-has-allowed-type</td><td><div><span class="assertion">A component must have an allowed type.</span></div><div><span class="diagnostic" title="component-has-allowed-type-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>must have an allowed component type
<span class="substitution">&lt;sch:value-of select="string-join($component-types, ' ∨ ')"/&gt;</span>(not "
<span class="substitution">&lt;sch:value-of select="@type"/&gt;</span>").</span></div><div>context: <code>oscal:component</code></div><div>test: <code>@type = $component-types</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → component has an allowed type. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → component has an allowed type. → negative → error</div></td></tr><tr><td>inventory-item-has-uuid</td><td><div><span class="assertion">An inventory-item has a uuid.</span></div><div><span class="diagnostic" title="inventory-item-has-uuid-diagnostic"> This inventory-item lacks a uuid attribute.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>@uuid</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has a uuid attribute → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → lacks a uuid attribute → that is an error</div></td></tr><tr><td>has-asset-id</td><td><div><span class="assertion">An inventory-item must have an asset-id.</span></div><div><span class="diagnostic" title="has-asset-id-diagnostic"> This inventory-item lacks an asset-id property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'asset-id']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has an asset-id. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has an asset-id. → negative → error</div></td></tr><tr><td>has-one-asset-id</td><td><div><span class="assertion">An inventory-item must have only one asset-id.</span></div><div><span class="diagnostic" title="has-one-asset-id-diagnostic"> This inventory-item has more than one asset-id property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'asset-id'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one asset-id. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one asset-id. → negative → error</div></td></tr><tr><td>inventory-item-has-asset-type</td><td><div><span class="assertion">An inventory-item must have an asset-type.</span></div><div><span class="diagnostic" title="inventory-item-has-asset-type-diagnostic"> This inventory-item lacks an asset-type property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'asset-type']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has an asset-type → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → lacks an asset-type → that is an error</div></td></tr><tr><td>inventory-item-has-one-asset-type</td><td><div><span class="assertion">An inventory-item must have only one asset-type.</span></div><div><span class="diagnostic" title="inventory-item-has-one-asset-type-diagnostic"> This inventory-item has more than one asset-type property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'asset-type'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one asset-type. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one asset-type. → negative → error</div></td></tr><tr><td>inventory-item-has-virtual</td><td><div><span class="assertion">An inventory-item must have a virtual property.</span></div><div><span class="diagnostic" title="inventory-item-has-virtual-diagnostic"> This inventory-item lacks a virtual property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'virtual']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has a virtual property → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → lacks a virtual property → that is an error</div></td></tr><tr><td>inventory-item-has-one-virtual</td><td><div><span class="assertion">An inventory-item must have only one virtual property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-virtual-diagnostic"> This inventory-item has more than one virtual property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'virtual'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one virtual property. → affirmative → has only one virtual property. → affirmative → correct → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one virtual property. → negative → has only one virtual property. → negative → error → error</div></td></tr><tr><td>inventory-item-has-public</td><td><div><span class="assertion">An inventory-item must have a public property.</span></div><div><span class="diagnostic" title="inventory-item-has-public-diagnostic"> This inventory-item lacks a public property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'public']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has a public property → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → lacks a public property → that is an error</div></td></tr><tr><td>inventory-item-has-one-public</td><td><div><span class="assertion">An inventory-item must have only one public property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-public-diagnostic"> This inventory-item has more than one public property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'public'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one public property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one public property. → negative → error</div></td></tr><tr><td>inventory-item-has-scan-type</td><td><div><span class="assertion">An inventory-item must have a scan-type property.</span></div><div><span class="diagnostic" title="inventory-item-has-scan-type-diagnostic"> This inventory-item lacks a scan-type property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>oscal:prop[@name = 'scan-type']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has scan-type property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has scan-type property. → negative → error</div></td></tr><tr><td>inventory-item-has-one-scan-type</td><td><div><span class="assertion">An inventory-item has only one scan-type property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-scan-type-diagnostic"> This inventory-item has more than one scan-type property.</span></div><div>context: <code>oscal:inventory-item</code></div><div>test: <code>not(oscal:prop[@name = 'scan-type'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one scan-type property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one scan-type property. → negative → error</div></td></tr><tr><td>inventory-item-has-allows-authenticated-scan</td><td><div><span class="assertion">"infrastructure" inventory-item has
allows-authenticated-scan.</span></div><div><span class="diagnostic" title="inventory-item-has-allows-authenticated-scan-diagnostic"> This inventory-item lacks allows-authenticated-scan
property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>oscal:prop[@name = 'allows-authenticated-scan']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has a allows-authenticated-scan property → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → lacks a allows-authenticated-scan property → that is an error</div></td></tr><tr><td>inventory-item-has-one-allows-authenticated-scan</td><td><div><span class="assertion">An inventory-item has one-allows-authenticated-scan
property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-allows-authenticated-scan-diagnostic"> This inventory-item has more than one
allows-authenticated-scan property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>not(oscal:prop[@name = 'allows-authenticated-scan'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one one-allows-authenticated-scan property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has only one one-allows-authenticated-scan property. → negative → error</div></td></tr><tr><td>inventory-item-has-baseline-configuration-name</td><td><div><span class="assertion">"infrastructure" inventory-item has
baseline-configuration-name.</span></div><div><span class="diagnostic" title="inventory-item-has-baseline-configuration-name-diagnostic"> This inventory-item lacks baseline-configuration-name
property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>oscal:prop[@name = 'baseline-configuration-name']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has a baseline-configuration-name property → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → lacks a baseline-configuration-name property → that is an error</div></td></tr><tr><td>inventory-item-has-one-baseline-configuration-name</td><td><div><span class="assertion">"infrastructure" inventory-item has only one
baseline-configuration-name.</span></div><div><span class="diagnostic" title="inventory-item-has-one-baseline-configuration-name-diagnostic"> This inventory-item has more than one
baseline-configuration-name property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>not(oscal:prop[@name = 'baseline-configuration-name'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has only one baseline-configuration-name. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has only one baseline-configuration-name. → negative → error</div></td></tr><tr><td>inventory-item-has-vendor-name</td><td><div><span class="assertion">"infrastructure" inventory-item has a
vendor-name property.</span></div><div><span class="diagnostic" title="inventory-item-has-vendor-name-diagnostic"> This inventory-item lacks a vendor-name property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>oscal:prop[(: @ns = 'https://fedramp.gov/ns/oscal' and :)@name = 'vendor-name']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → has a vendor-name property → that is correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → lacks a vendor-name property → that is an error</div></td></tr><tr><td>inventory-item-has-one-vendor-name</td><td><div><span class="assertion">"infrastructure"
inventory-item must have only one vendor-name property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-vendor-name-diagnostic"> This inventory-item has more than one vendor-name
property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>not(oscal:prop[(: @ns = 'https://fedramp.gov/ns/oscal' and :)@name = 'vendor-name'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has only one vendor-name property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has only one vendor-name property. → negative → error</div></td></tr><tr><td>inventory-item-has-hardware-model</td><td><div><span class="assertion">"infrastructure" inventory-item
must have a hardware-model property.</span></div><div><span class="diagnostic" title="inventory-item-has-hardware-model-diagnostic"> This inventory-item lacks a hardware-model property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>oscal:prop[(: @ns = 'https://fedramp.gov/ns/oscal' and :)@name = 'hardware-model']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has a hardware-model property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has a hardware-model property. → negative → error</div></td></tr><tr><td>inventory-item-has-one-hardware-model</td><td><div><span class="assertion">"infrastructure"
inventory-item must have only one hardware-model property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-hardware-model-diagnostic"> This inventory-item has more than one hardware-model
property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>not(oscal:prop[(: @ns = 'https://fedramp.gov/ns/oscal' and :)@name = 'hardware-model'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has only one hardware-model property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has only one hardware-model property. → negative → error</div></td></tr><tr><td>inventory-item-has-is-scanned</td><td><div><span class="assertion">"infrastructure" inventory-item must have is-scanned property.</span></div><div><span class="diagnostic" title="inventory-item-has-is-scanned-diagnostic"> This inventory-item lacks is-scanned property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>oscal:prop[@name = 'is-scanned']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has is-scanned property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has is-scanned property. → negative → error</div></td></tr><tr><td>inventory-item-has-one-is-scanned</td><td><div><span class="assertion">"infrastructure" inventory-item must have only one is-scanned
property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-is-scanned-diagnostic"> This inventory-item has more than one is-scanned property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type' and @value = ('os', 'infrastructure')]]</code></div><div>test: <code>not(oscal:prop[@name = 'is-scanned'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has only one is-scanned property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "infrastructure" asset-type has only one is-scanned property. → negative → error</div></td></tr><tr><td>inventory-item-has-software-name</td><td><div><span class="assertion">"software or database" inventory-item must have a software-name
property.</span></div><div><span class="diagnostic" title="inventory-item-has-software-name-diagnostic"> This inventory-item lacks software-name property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type']/@value = ('software', 'database')]</code></div><div>test: <code>oscal:prop[@name = 'software-name']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has software-name property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has software-name property. → negative → error</div></td></tr><tr><td>inventory-item-has-one-software-name</td><td><div><span class="assertion">"software or database" inventory-item must have a software-name
property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-software-name-diagnostic"> This inventory-item has more than one software-name
property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type']/@value = ('software', 'database')]</code></div><div>test: <code>not(oscal:prop[@name = 'software-name'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has software-name property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has software-name property. → negative → error</div></td></tr><tr><td>inventory-item-has-software-version</td><td><div><span class="assertion">"software or database" inventory-item must have a software-version
property.</span></div><div><span class="diagnostic" title="inventory-item-has-software-version-diagnostic"> This inventory-item lacks software-version property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type']/@value = ('software', 'database')]</code></div><div>test: <code>oscal:prop[@name = 'software-version']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has software-version property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has software-version property. → negative → error</div></td></tr><tr><td>inventory-item-has-one-software-version</td><td><div><span class="assertion">"software or database" inventory-item must have one software-version
property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-software-version-diagnostic"> This inventory-item has more than one software-version
property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type']/@value = ('software', 'database')]</code></div><div>test: <code>not(oscal:prop[@name = 'software-version'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has one software-version property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has one software-version property. → negative → error</div></td></tr><tr><td>inventory-item-has-function</td><td><div><span class="assertion">"software or database" inventory-item must have a function property.</span></div><div><span class="diagnostic" title="inventory-item-has-function-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>"
<span class="substitution">&lt;sch:value-of select="oscal:prop[@name = 'asset-type']/@value"/&gt;</span>" lacks function property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type']/@value = ('software', 'database')]</code></div><div>test: <code>oscal:prop[@name = 'function']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has function property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has function property. → negative → error</div></td></tr><tr><td>inventory-item-has-one-function</td><td><div><span class="assertion">"software or database" inventory-item must have one function
property.</span></div><div><span class="diagnostic" title="inventory-item-has-one-function-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>"
<span class="substitution">&lt;sch:value-of select="oscal:prop[@name = 'asset-type']/@value"/&gt;</span>" has more than one function property.</span></div><div>context: <code>oscal:inventory-item[oscal:prop[@name = 'asset-type']/@value = ('software', 'database')]</code></div><div>test: <code>not(oscal:prop[@name = 'function'][2])</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has one function property. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → "software or database" asset-type has one function property. → negative → error</div></td></tr><tr><td>component-has-asset-type</td><td><div><span class="assertion">A component must have an asset type.</span></div><div><span class="diagnostic" title="component-has-asset-type-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>lacks an asset-type property.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-implementation/oscal:component[(: a component referenced by any inventory-item :)@uuid = //oscal:inventory-item/oscal:implemented-component/@component-uuid]</code></div><div>test: <code>oscal:prop[@name = 'asset-type']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → component has an asset type. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → component has an asset type. → negative → error</div></td></tr><tr><td>component-has-one-asset-type</td><td><div><span class="assertion">A component must have one asset type.</span></div><div><span class="diagnostic" title="component-has-one-asset-type-diagnostic"> <span class="substitution">&lt;sch:value-of select="name()"/&gt;</span>has more than one asset-type property.</span></div><div>context: <code>/oscal:system-security-plan/oscal:system-implementation/oscal:component[(: a component referenced by any inventory-item :)@uuid = //oscal:inventory-item/oscal:implemented-component/@component-uuid]</code></div><div>test: <code>oscal:prop[@name = 'asset-type']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → component has one asset type. → affirmative → correct</div><div>negative XSpec test: FedRAMP OSCAL SSP System Inventory → when the inventory-item → component has one asset type. → negative → error</div></td></tr><tr><td>has-system-component</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must have a system component.</span></div><div><span class="diagnostic" title="has-system-component-diagnostic"> This FedRAMP OSCAL SSP lacks a system component.</span></div><div>context: <code>oscal:system-implementation</code></div><div>test: <code>oscal:component[@type = 'system']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td>has-system-id</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must have a FedRAMP
system-id.</span></div><div><span class="diagnostic" title="has-system-id-diagnostic"> This FedRAMP OSCAL SSP lacks a FedRAMP system-id.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:system-id[@identifier-type = 'https://fedramp.gov/']</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td>has-system-name</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must have a system-name.</span></div><div><span class="diagnostic" title="has-system-name-diagnostic"> This FedRAMP OSCAL SSP lacks a system-name.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:system-name</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td>has-system-name-short</td><td><div><span class="assertion">A FedRAMP OSCAL SSP must have a system-name-short.</span></div><div><span class="diagnostic" title="has-system-name-short-diagnostic"> This FedRAMP OSCAL SSP lacks a system-name-short.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:system-name-short</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr><tr><td>has-fedramp-authorization-type</td><td><div><span class="assertion">
A FedRAMP OSCAL SSP must have a FedRAMP authorization type.</span></div><div><span class="diagnostic" title="has-fedramp-authorization-type-diagnostic"> This FedRAMP OSCAL SSP lacks a FedRAMP authorization type.</span></div><div>context: <code>oscal:system-characteristics</code></div><div>test: <code>oscal:prop[@ns = 'https://fedramp.gov/ns/oscal' and @name = 'authorization-type' and @value = ('fedramp-jab', 'fedramp-agency', 'fedramp-li-saas')]</code></div><div>role: <code>error</code></div><div>affirmative XSpec test: <span class="missing">no coverage</span></div><div>negative XSpec test: <span class="missing">no coverage</span></div></td></tr></tbody></table><h2>FedRAMP Values</h2><p>The <code>fedramp_values.xml</code> document contains value enumerations for various FedRAMP OSCAL document elements.</p><table id="fedramp_values.xml"><caption><code>fedramp_values.xml</code> constraints</caption><thead><tr><th>Name</th><th>Values</th><th>Context(s) - <span class="highlight">Light blue</span> highlights use of name in context. <span class="highlight-missed">Yellow</span> highlights absence of name in context.</th></tr></thead><tbody><tr><td rowspan="3"><div><code>address-type</code></div></td><td><div><code>home</code></div><div><code>work</code></div></td><td><div><code><span class="highlight-missed">party/address/@type</span></code></div></td></tr><tr><td colspan="2"><u>Address Type</u>: <i>The type of address for the party</i></td></tr><tr><td colspan="2">Remarks: FedRAMP requires work addresses.</td></tr><tr><td rowspan="3"><div><code>allows-authenticated-scan</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code>inventory-item/prop[@name='<span class="highlight">allows-authenticated-scan</span>']/@value</code></div><div><code>component/prop[@name='<span class="highlight">allows-authenticated-scan</span>']/@value</code></div></td></tr><tr><td colspan="2"><u>Allows Authenticated Scan</u>: <i>Indicates if the asset is capable of having an authenticated scan.</i></td></tr><tr><td colspan="2">Remarks: if the value is "no", the prop remarks must contain the reason why.</td></tr><tr><td rowspan="2"><div><code>asset-type</code></div></td><td><div><code>os</code></div><div><code>database</code></div><div><code>web-server</code></div><div><code>dns-server</code></div><div><code>email-server</code></div><div><code>directory-server</code></div><div><code>pbx</code></div><div><code>firewall</code></div><div><code>router</code></div><div><code>switch</code></div><div><code>storage-array</code></div><div><i>or any other value</i></div></td><td><div><code>component/prop[@name='<span class="highlight">asset-type</span>']</code></div><div><code>inventory-item/prop[@name='<span class="highlight">asset-type</span>']</code></div></td></tr><tr><td colspan="2"><u>Asset Type</u>: <i>Identifies the type of asset.</i></td></tr><tr><td rowspan="2"><div><code>attachment-type</code></div></td><td><div><code>law</code></div><div><code>regulation</code></div><div><code>standard</code></div><div><code>guidance</code></div><div><code>pii</code></div><div><code>policy</code></div><div><code>procedure</code></div><div><code>guide</code></div><div><code>pia</code></div><div><code>rules-of-behavior</code></div><div><code>plan</code></div><div><code>system-security-plan</code></div><div><code>artifact</code></div><div><code>evidence</code></div><div><code>screen-shot</code></div><div><code>image</code></div><div><code>tool-report</code></div><div><code>raw-tool-output</code></div><div><code>interview-notes</code></div><div><code>questionnaire</code></div><div><code>report</code></div><div><code>fedramp-citations</code></div><div><code>fedramp-acronyms</code></div><div><code>fedramp-logo</code></div><div><code>separation-of-duties-matrix</code></div><div><code>logo</code></div><div><code>Personal-Identifiable-Information</code></div><div><code>agreement</code></div><div><code>incident-response-plan</code></div><div><code>information-security-policies-and-procedures</code></div><div><code>user-guide</code></div><div><code>privacy-impact-assessment</code></div><div><code>information-system-contingency-plan</code></div><div><code>configuration-management-plan</code></div><div><i>or any other value</i></div></td><td><div><code><span class="highlight-missed">resource/prop[@name='type'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Attachment Type</u>: <i>Identifies the type of attachment.</i></td></tr><tr><td rowspan="2"><div><code>authenticator-assurance-level</code></div></td><td><div><code>1</code></div><div><code>2</code></div><div><code>3</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">authenticator-assurance-level</span>']</code></div></td></tr><tr><td colspan="2"><u>Authenticator Assurance Level</u>: <i>The authenticator assurance level as defined by NIST SP 800-63, Revision 3.</i></td></tr><tr><td rowspan="2"><div><code>authorization-type</code></div></td><td><div><code>fedramp-jab</code></div><div><code>fedramp-agency</code></div><div><code>fedramp-li-saas</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">authorization-type</span>'][@ns='https://fedramp.gov/ns/oscal']<span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Authorization Type</u>: <i>The FedRAMP Authorization Type</i></td></tr><tr><td rowspan="2"><div><code>component-operational-status</code></div></td><td><div><code>operational</code></div><div><code>under-development</code></div><div><code>disposition</code></div><div><code>other</code></div></td><td><div><code><span class="highlight-missed">component/status/@state</span></code></div></td></tr><tr><td colspan="2"><u>Operational Status (component)</u>: <i>The operational status of the component</i></td></tr><tr><td rowspan="2"><div><code>component-type</code></div></td><td><div><code>software</code></div><div><code>hardware</code></div><div><code>service</code></div><div><code>policy</code></div><div><code>process</code></div><div><code>procedure</code></div><div><code>plan</code></div><div><code>guidance</code></div><div><code>standard</code></div><div><code>validation</code></div><div><code>system</code></div><div><code>interconnection</code></div><div><i>or any other value</i></div></td><td><div><code>component/@<span class="highlight">component-type</span></code></div></td></tr><tr><td colspan="2"><u>Component Type</u>: <i>identifies the component type.</i></td></tr><tr><td rowspan="2"><div><code>control-implementation-status</code></div></td><td><div><code>implemented</code></div><div><code>partial</code></div><div><code>planned</code></div><div><code>alternative</code></div><div><code>not-applicable</code></div></td><td><div><code><span class="highlight-missed">implemented-requirement/prop[@name='implementation-status']/@value</span></code></div></td></tr><tr><td colspan="2"><u>Control Implementation Status</u>: <i>The implementation status of the control.</i></td></tr><tr><td rowspan="2"><div><code>control-origination</code></div></td><td><div><code>sp-corporate</code></div><div><code>sp-system</code></div><div><code>customer-configured</code></div><div><code>customer-provided</code></div><div><code>inherited</code></div></td><td><div><code>implemented-requirement/prop[@name='<span class="highlight">control-origination</span>'][@ns='https://fedramp.gov/ns/oscal']/@value<span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Control Origination</u>: <i>The point(s) from which the control satisfaction originates.</i></td></tr><tr><td rowspan="2"><div><code>deployment-model</code></div></td><td><div><code>public-cloud</code></div><div><code>private-cloud</code></div><div><code>community-cloud</code></div><div><code>government-only-cloud</code></div><div><code>hybrid-cloud</code></div><div><code>other</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">deployment-model</span>']/@value</code></div></td></tr><tr><td colspan="2"><u>Deployment Model</u>: <i>The cloud deployment model.</i></td></tr><tr><td rowspan="2"><div><code>eauth-level</code></div></td><td><div><code>1</code></div><div><code>2</code></div><div><code>3</code></div></td><td><div><code>system-characteristics/prop[@name='security-<span class="highlight">eauth-level</span>'][@ns='https://fedramp.gov/ns/oscal']<span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>eAuth Level</u>: <i>The eAuthentication level as defined by NIST SP 800-63, Revision 3.</i></td></tr><tr><td rowspan="2"><div><code>federation-assurance-level</code></div></td><td><div><code>1</code></div><div><code>2</code></div><div><code>3</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">federation-assurance-level</span>']</code></div></td></tr><tr><td colspan="2"><u>Federation Assurance Level</u>: <i>The federation assurance level as defined by NIST SP 800-63, Revision 3.</i></td></tr><tr><td rowspan="2"><div><code>hash-algorithm</code></div></td><td><div><code>SHA-224</code></div><div><code>SHA-256</code></div><div><code>SHA-384</code></div><div><code>SHA-512</code></div><div><code>RIPEMD-160</code></div><div><i>or any other value</i></div></td><td><div><code><span class="highlight-missed">resource/hash/@algorithm</span></code></div></td></tr><tr><td colspan="2"><u>Hash Algorithm</u>: <i>Identifies the algorithm used to create the hash value of the attachment.</i></td></tr><tr><td rowspan="2"><div><code>identity-assurance-level</code></div></td><td><div><code>1</code></div><div><code>2</code></div><div><code>3</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">identity-assurance-level</span>']</code></div></td></tr><tr><td colspan="2"><u>Identity Assurance Level</u>: <i>The identity assurance level as defined by NIST SP 800-63, Revision 3.</i></td></tr><tr><td rowspan="2"><div><code>impact-level</code></div></td><td><div><code>low</code></div><div><code>moderate</code></div><div><code>high</code></div></td><td><div><code><span class="highlight-missed">risk/risk-metric[@name='impact'][@system='https://fedramp.gov']</span></code></div></td></tr><tr><td colspan="2"><u>Impact Level</u>: <i>The impact level of a risk.</i></td></tr><tr><td rowspan="3"><div><code>information-type-system</code></div></td><td><div><code>https://doi.org/10.6028/NIST.SP.800-60v2r1</code></div></td><td><div><code><span class="highlight-missed">information-type/information-type-id/@system</span></code></div></td></tr><tr><td colspan="2"><u>Information Type System</u>: <i>Identifies the system from which the information type was defined.</i></td></tr><tr><td colspan="2">Remarks: FedRAMP only allows information types defined in NIST SP 800-60v2r1.</td></tr><tr><td rowspan="2"><div><code>interconnection-direction</code></div></td><td><div><code>incoming</code></div><div><code>outgoing</code></div><div><code>incoming-outgoing</code></div></td><td><div><code><span class="highlight-missed">component[@component-type='interconnection']/prop[@name='direction'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Interconnection Direction</u>: <i>Identifies the direction of information flow for the interconnection.</i></td></tr><tr><td rowspan="2"><div><code>interconnection-security</code></div></td><td><div><code>ipsec</code></div><div><code>vpn</code></div><div><code>ssl</code></div><div><code>certificate</code></div><div><code>secure-file-transfer</code></div><div><code>other</code></div></td><td><div><code><span class="highlight-missed">component[@component-type='interconnection']/prop[@name='connection-security'][@ns='https://fedramp.gov/ns/oscal']/@value</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Interconnection Security</u>: <i>Identifies the type of security applied to the interconnection.</i></td></tr><tr><td rowspan="3"><div><code>is-scanned</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code>inventory-item/prop[@name='<span class="highlight">is-scanned</span>']/@value</code></div><div><code><span class="highlight-missed">component/prop[@name='is-scannan']/@value</span></code></div></td></tr><tr><td colspan="2"><u>Is Scanned</u>: <i>Indicates if the asset is scan.</i></td></tr><tr><td colspan="2">Remarks: if the value is "no", the prop remarks must contain the reason why.</td></tr><tr><td rowspan="2"><div><code>likelihood</code></div></td><td><div><code>low</code></div><div><code>moderate</code></div><div><code>high</code></div></td><td><div><code>risk/risk-metric[@name='<span class="highlight">likelihood</span>'][@system='https://fedramp.gov']</code></div></td></tr><tr><td colspan="2"><u>Likelihood</u>: <i>The likelihood of a risk.</i></td></tr><tr><td rowspan="2"><div><code>media-type</code></div></td><td><div><code>application/gzip</code></div><div><code>application/msword</code></div><div><code>application/octet-stream</code></div><div><code>application/pdf</code></div><div><code>application/vnd.ms-excel</code></div><div><code>application/vnd.ms-works</code></div><div><code>application/vnd.oasis.opendocument.graphics</code></div><div><code>application/vnd.oasis.opendocument.presentation</code></div><div><code>application/vnd.oasis.opendocument.spreadsheet</code></div><div><code>application/vnd.oasis.opendocument.text</code></div><div><code>application/vnd.openxmlformats-officedocument.presentationml.presentation</code></div><div><code>application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</code></div><div><code>application/vnd.openxmlformats-officedocument.wordprocessingml.document</code></div><div><code>application/x-bzip</code></div><div><code>application/x-bzip2</code></div><div><code>application/x-tar</code></div><div><code>application/zip</code></div><div><code>image/bmp</code></div><div><code>image/jpeg</code></div><div><code>image/png</code></div><div><code>image/tiff</code></div><div><code>image/webp</code></div><div><code>image/svg+xml</code></div><div><code>text/csv</code></div><div><code>text/html</code></div><div><code>text/plain</code></div></td><td><div><code>rlink/@<span class="highlight">media-type</span></code></div><div><code>base64/@<span class="highlight">media-type</span></code></div></td></tr><tr><td colspan="2"><u>Resource Media Types</u>: <i>A subset of IANA media types expected to be encountered.</i></td></tr><tr><td rowspan="2"><div><code>privacy-designation</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='privacy-sensitive']</span></code></div></td></tr><tr><td colspan="2"><u>Privacy Designation</u>: <i>Indicates whether this system is privacy sensitive.</i></td></tr><tr><td rowspan="2"><div><code>privacy-threshold-analysis-q1</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='pta-1'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Privacy Threshold Analysis (Q1)</u>: <i>Does the ISA collect, maintain, or share PII in any identifiable form?</i></td></tr><tr><td rowspan="2"><div><code>privacy-threshold-analysis-q2</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='pta-2'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Privacy Threshold Analysis (Q2)</u>: <i>Does the ISA collect, maintain, share PII info from or about the public?</i></td></tr><tr><td rowspan="2"><div><code>privacy-threshold-analysis-q3</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='pta-3'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Privacy Threshold Analysis (Q3)</u>: <i>Has a Privacy Impact Assessment ever been performed for the ISA?</i></td></tr><tr><td rowspan="3"><div><code>privacy-threshold-analysis-q4</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code><span class="highlight-missed">system-information/prop[@name='pta-4'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Privacy Threshold Analysis (Q4)</u>: <i>Is there a Privacy Act System of Records Notice (SORN) for this ISA system?</i></td></tr><tr><td colspan="2">Remarks: If "yes" a SORN ID must be provided.</td></tr><tr><td rowspan="2"><div><code>public</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code>inventory-item/prop[@name='<span class="highlight">public</span>']</code></div><div><code>component/prop[@name='<span class="highlight">public</span>']</code></div></td></tr><tr><td colspan="2"><u>Public</u>: <i>Indicates if the asset is exposed to the public Internet.</i></td></tr><tr><td rowspan="2"><div><code>role-type</code></div></td><td><div><code>assessor</code></div><div><code>assessment-team</code></div><div><code>assessment-lead</code></div><div><code>assessment-executive</code></div><div><code>cloud-service-provider</code></div><div><code>csp-operations-center</code></div><div><code>csp-assessment-poc</code></div><div><code>csp-end-of-testing-poc</code></div><div><code>csp-results-poc</code></div><div><code>fedramp-pmo</code></div><div><code>fedramp-jab</code></div><div><code>penetration-test-team</code></div><div><code>penetration-test-lead</code></div><div><i>or any other value</i></div></td><td><div><code><span class="highlight-missed">role/@id</span></code></div></td></tr><tr><td colspan="2"><u>Defined Role Identifiers</u>: <i>Identifies the type of role for a responsible party.</i></td></tr><tr><td rowspan="2"><div><code>scan-type</code></div></td><td><div><code>infrastructure</code></div><div><code>database</code></div><div><code>web</code></div><div><code>other</code></div></td><td><div><code>component/prop[@name='<span class="highlight">scan-type</span>'][@ns='https://fedramp.gov/ns/oscal']<span class="NB"> ☚ Note the <code>@ns</code></span></code></div><div><code>inventory-item/prop[@name='<span class="highlight">scan-type</span>'][@ns='https://fedramp.gov/ns/oscal']<span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Scan Type</u>: <i>Identifies the type of scan.</i></td></tr><tr><td rowspan="2"><div><code>security-impact-level</code></div></td><td><div><code>fips-199-low</code></div><div><code>fips-199-moderate</code></div><div><code>fips-199-high</code></div></td><td><div><code><span class="highlight-missed">information-type/confidentiality-impact/base</span></code></div><div><code><span class="highlight-missed">information-type/confidentiality-impact/selected</span></code></div><div><code><span class="highlight-missed">information-type/availability-impact/base</span></code></div><div><code><span class="highlight-missed">information-type/availability-impact/selected</span></code></div><div><code><span class="highlight-missed">information-type/integrity-impact/base</span></code></div><div><code><span class="highlight-missed">information-type/integrity-impact/selected</span></code></div></td></tr><tr><td colspan="2"><u>Security Impact Level</u>: <i>The security objective level as defined by NIST SP 800-60.</i></td></tr><tr><td rowspan="2"><div><code>security-objective-level</code></div></td><td><div><code>fips-199-low</code></div><div><code>fips-199-moderate</code></div><div><code>fips-199-high</code></div></td><td><div><code><span class="highlight-missed">system-characteristics/security-impact-level/security-objective-confidentiality</span></code></div><div><code><span class="highlight-missed">system-characteristics/security-impact-level/security-objective-availability</span></code></div><div><code><span class="highlight-missed">system-characteristics/security-impact-level/security-objective-integrity</span></code></div></td></tr><tr><td colspan="2"><u>Security Objective Level</u>: <i>The security objective level as defined by FIPS-199.</i></td></tr><tr><td rowspan="2"><div><code>security-sensitivity-level</code></div></td><td><div><code>low</code></div><div><code>moderate</code></div><div><code>high</code></div></td><td><div><code><span class="highlight">security-sensitivity-level</span></code></div></td></tr><tr><td colspan="2"><u>Security Sensitivity Level</u>: <i>The security sensitivity level for the system.</i></td></tr><tr><td rowspan="2"><div><code>service-model</code></div></td><td><div><code>saas</code></div><div><code>paas</code></div><div><code>iaas</code></div><div><code>other</code></div></td><td><div><code>system-characteristics/prop[@name='<span class="highlight">service-model</span>']/@value</code></div></td></tr><tr><td colspan="2"><u>Service Model</u>: <i>The cloud service model.</i></td></tr><tr><td rowspan="2"><div><code>system-identifier-type</code></div></td><td><div><code>http://fedramp.gov</code></div><div><code>https://ietf.org/rfc/rfc4122</code></div><div><i>or any other value</i></div></td><td><div><code><span class="highlight-missed">system-id/@identifier-type</span></code></div></td></tr><tr><td colspan="2"><u>System Identifier Type</u>: <i>Indicates the source of the unique ID assigned to the system. FedRAMP requires a FedRAMP-assigned identifier; however, additional identifiers may also be provided.</i></td></tr><tr><td rowspan="2"><div><code>system-operational-status</code></div></td><td><div><code>operational</code></div><div><code>under-development</code></div><div><code>under-major-modification</code></div><div><code>disposition</code></div><div><code>other</code></div></td><td><div><code><span class="highlight-missed">system-characteristics/status/@state</span></code></div></td></tr><tr><td colspan="2"><u>Operational Status (system)</u>: <i>The operational status of the system</i></td></tr><tr><td rowspan="2"><div><code>transport-type</code></div></td><td><div><code>TCP</code></div><div><code>UDP</code></div></td><td><div><code><span class="highlight-missed">component[@component-type='service']/protocol/port-range/@transport</span></code></div></td></tr><tr><td colspan="2"><u>Transport Type</u>: <i>The internet protocol transport type.</i></td></tr><tr><td rowspan="2"><div><code>user-privilege</code></div></td><td><div><code>privileged</code></div><div><code>non-privileged</code></div><div><code>no-logical-access</code></div></td><td><div><code><span class="highlight-missed">user/prop[@name='privilege-level']/@value</span></code></div></td></tr><tr><td colspan="2"><u>User Privilege</u>: <i>Identifies the privilege level of the user.</i></td></tr><tr><td rowspan="2"><div><code>user-sensitivity-level</code></div></td><td><div><code>high-risk</code></div><div><code>severe</code></div><div><code>moderate</code></div><div><code>limited</code></div><div><code>not-applicable</code></div></td><td><div><code><span class="highlight-missed">user/prop[@name='sensitivity'][@ns='https://fedramp.gov/ns/oscal']</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>User Sensitivity level</u>: <i>Identifies the sensitivity level of the user.</i></td></tr><tr><td rowspan="2"><div><code>user-type</code></div></td><td><div><code>internal</code></div><div><code>external</code></div><div><code>general-public</code></div></td><td><div><code><span class="highlight-missed">user/prop[@name='type']/@value</span></code></div></td></tr><tr><td colspan="2"><u>User Type</u>: <i>Identifies the user type.</i></td></tr><tr><td rowspan="2"><div><code>virtual</code></div></td><td><div><code>yes</code></div><div><code>no</code></div></td><td><div><code>inventory-item/prop[@name='<span class="highlight">virtual</span>']</code></div><div><code>component/prop[@name='<span class="highlight">virtual</span>']</code></div></td></tr><tr><td colspan="2"><u>Virtual</u>: <i>Indicates if the asset is virtual.</i></td></tr></tbody></table><h2>FedRAMP Extensions</h2><p>The <code>FedRAMP_extensions.xml</code> document contains OSCAL schema extensions for FedRAMP OSCAL documents.</p><table id="FedRAMP_extensions.xml"><caption><code>FedRAMP_extensions.xml</code> constraints</caption><thead><tr><th>Name</th><th>Values</th><th>Context(s) - <span class="highlight">Light blue</span> highlights use of name in context. <span class="highlight-missed">Yellow</span> highlights absence of name in context.</th></tr></thead><tbody><tr><td rowspan="3"><div><code>attachment-type</code></div></td><td><div><code>personally-identifiable-information</code></div><div><code>privacy-impact-analysis</code></div><div><code>fedramp-citations</code></div><div><code>system-security-plan</code></div></td><td><div><code><span class="highlight-missed">/*/o:back-matter/o:resource/o:prop[@name='type']</span></code></div></td></tr><tr><td colspan="2"><u>Attachment/Resource Types</u>: <i>FedRAMP additional attachment/resource types.</i></td></tr><tr><td colspan="2">Remarks: These are in addition to the NIST-defined allowed values for resource types.</td></tr><tr><td rowspan="3"><div><code>control-implementation-status-constraints</code></div></td><td><div><code>implemented</code></div><div><code>partial</code></div><div><code>planned</code></div><div><code>alternative</code></div><div><code>not-applicable</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal']/@value</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Control Implementation Status Constraints</u>: <i>Defines the data type and allowed values for the Control Implementation Status</i></td></tr><tr><td colspan="2">Remarks:
When an extension is a prop, the data type and allowed values must be defined in a separate constraint.
</td></tr><tr><td rowspan="2"><div><code>control-origination-constraints</code></div></td><td><div><code>sp-corporate</code></div><div><code>sp-system</code></div><div><code>customer-configured</code></div><div><code>customer-provided</code></div><div><code>inherited</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='control-origination'][@ns='https://fedramp.gov/ns/oscal']/@value</span><span class="NB"> ☚ Note the <code>@ns</code></span></code></div></td></tr><tr><td colspan="2"><u>Control Origination</u>: <i>The point(s) from which the control satisfaction originates.</i></td></tr><tr><td rowspan="3"><div><code>deployment-model</code></div></td><td><div><code>public-cloud</code></div><div><code>private-cloud</code></div><div><code>government-only-cloud</code></div><div><code>hybrid-cloud</code></div><div><code>other</code></div></td><td><div><code>/o:system-security-plan/o:system-characteristics/o:prop[@name='<span class="highlight">deployment-model</span>']/@value</code></div></td></tr><tr><td colspan="2"><u>Deployment Model</u>: <i>The cloud deployment model.</i></td></tr><tr><td colspan="2">Remarks:
NIST also defines a community cloud model; however, FedRAMP does not accept this response.
</td></tr><tr><td rowspan="3"><div><code>fedramp-assessment-role-identifiers</code></div></td><td><div><code>assessor</code></div><div><code>assessment-team</code></div><div><code>assessment-lead</code></div><div><code>assessment-executive</code></div><div><code>csp-assessment-poc</code></div><div><code>csp-end-of-testing-poc</code></div><div><code>csp-results-poc</code></div><div><code>penetration-test-team</code></div><div><code>penetration-test-lead</code></div></td><td><div><code><span class="highlight-missed">/*/o:metadata/o:role/@id</span></code></div></td></tr><tr><td colspan="2"><u>Assessment Role Identifiers</u>: <i>FedRAMP additional roles identifiers.</i></td></tr><tr><td colspan="2">Remarks: These are in addition to the NIST-defined allowed values for role identifiers, and apply to OSCAL-based FedRAMP SAP and SAR content.</td></tr><tr><td rowspan="3"><div><code>fedramp-general-role-identifiers</code></div></td><td><div><code>fedramp-pmo</code></div><div><code>fedramp-jab</code></div><div><code>cloud-service-provider</code></div><div><code>csp-operations-center</code></div></td><td><div><code><span class="highlight-missed">/*/o:metadata/o:role/@id</span></code></div></td></tr><tr><td colspan="2"><u>General Role Identifiers</u>: <i>FedRAMP additional roles identifiers.</i></td></tr><tr><td colspan="2">Remarks: These are in addition to the NIST-defined allowed values for role identifiers, and apply to all OSCAL-based FedRAMP content.</td></tr><tr><td rowspan="3"><div><code>information-type-system</code></div></td><td><div><code>https://doi.org/10.6028/NIST.SP.800-60v2r1</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:information-type-id/@system</span></code></div></td></tr><tr><td colspan="2"><u>Information Type System</u>: <i>Identifies the system from which the information type was defined.</i></td></tr><tr><td colspan="2">Remarks: FedRAMP only allows information types defined in NIST SP 800-60v2r1.</td></tr><tr><td rowspan="2"><div><code>observation-types</code></div></td><td><div><code>vendor-dependency</code></div><div><code>false-positive</code></div><div><code>operational-requirement</code></div><div><code>risk-adjustment</code></div><div><code>closure</code></div></td><td><div><code><span class="highlight-missed">/o:plan-of-action-and-milestones/o:observation/o:type</span></code></div><div><code><span class="highlight-missed">/o:assessment-results/o:result/o:observation/o:type</span></code></div></td></tr><tr><td colspan="2"><u>Observation Types</u>: <i>In addition to the NIST observation types, FedRAMP requires observaton types to support risk deviations and vendor dependencies.</i></td></tr><tr><td rowspan="3"><div><code>planned-completion-date</code></div></td><td></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:control-implementation/o:implemented-requirement[o:prop[@name='implementation-status'][@value='planned']]</span></code></div></td></tr><tr><td colspan="2"><u>Planned Implementation Date Exists</u>: <i>If the control implementation status is "Planned" a "Planned Implementation Date" must be provided.</i></td></tr><tr><td colspan="2">Remarks:
In the SSP, if implemented-requirement includes prop[@name='implementation-status'] with value='planned', a planned-completion-date extension must be provided.
</td></tr><tr><td rowspan="2"><div><code>poam-risk-impacted-control</code></div></td><td></td><td><div><code><span class="highlight-missed">/o:plan-of-action-and-milestones/o:risk/o:prop</span></code></div></td></tr><tr><td colspan="2"><u>Impacted Control</u>: <i>At least one impacted control field is required in the POA&amp;M.</i></td></tr><tr><td rowspan="2"><div><code>sar-risk-impacted-control</code></div></td><td></td><td><div><code><span class="highlight-missed">/o:assessment-results/o:result/o:risk/o:prop</span></code></div></td></tr><tr><td colspan="2"><u>Impacted Control</u>: <i>The impacted control field is optional in the SAR, but helpful in anticipation of copying open risks to the POA&amp;M.</i></td></tr><tr><td rowspan="2"><div><code>security-impact-level</code></div></td><td><div><code>fips-199-low</code></div><div><code>fips-199-moderate</code></div><div><code>fips-199-high</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:confidentiality-impact/base</span></code></div><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:confidentiality-impact/selected</span></code></div><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:availability-impact/base</span></code></div><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:availability-impact/selected</span></code></div><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:integrity-impact/base</span></code></div><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:integrity-impact/selected</span></code></div></td></tr><tr><td colspan="2"><u>Security Impact Level</u>: <i>The security objective level as defined by NIST SP 800-60.</i></td></tr><tr><td rowspan="2"><div><code>service-model</code></div></td><td><div><code>saas</code></div><div><code>paas</code></div><div><code>iaas</code></div><div><code>other</code></div></td><td><div><code>/o:system-security-plan/o:system-characteristics/o:prop[@name='<span class="highlight">service-model</span>']/@value</code></div></td></tr><tr><td colspan="2"><u>Service Model</u>: <i>The cloud service model.</i></td></tr><tr><td rowspan="2"><div><code>system-identifier-type</code></div></td><td><div><code>https://fedramp.gov</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-id/@identifier-type</span></code></div></td></tr><tr><td colspan="2"><u>System Identifier Type</u>: <i>Enables an identifier to be formally recognized as being assigned by FedRAMP.</i></td></tr><tr><td rowspan="3"><div><code>system-operational-status</code></div></td><td><div><code>operational</code></div><div><code>under-major-modification</code></div><div><code>other</code></div></td><td><div><code><span class="highlight-missed">/o:system-security-plan/o:system-characteristics/o:system-characteristics/o:status/@state</span></code></div></td></tr><tr><td colspan="2"><u>Operational Status (system)</u>: <i>The operational status of the system</i></td></tr><tr><td colspan="2">Remarks:
FedRAMP limits the allowed values from a larger NIST-defined list to only those defined here.
</td></tr></tbody></table></body></html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment