GSA · wandmagic · Dec 30, 2024 · Dec 30, 2024 · Dec 30, 2024 · Dec 30, 2024
@@ -92,6 +92,7 @@ Examples:
   | has-network-architecture-diagram-link-href-target |
   | has-network-architecture-diagram-link-rel |
   | has-network-architecture-diagram-link-rel-allowed-value |
+  | has-poam-resource |
   | has-policy |
   | has-procedure |
   | has-published-date |
@@ -152,6 +153,11 @@ Examples:
   | scan-type |
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
+  | ssp-component-has-poam-link |
+  | ssp-poam-item-exists |
+  | ssp-poam-link-has-resource-fragment |
+  | ssp-poam-link-references-valid-resource |
+  | ssp-poam-resource-has-oscal-link |
   | statement-has-this-system-component |
   | unique-inventory-item-asset-id |
   | used-by-link-references-component |
@@ -313,6 +319,8 @@ Examples:
   | has-network-architecture-diagram-link-rel-PASS.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
+  | has-poam-resource-FAIL.yaml |
+  | has-poam-resource-PASS.yaml |
   | has-policy-FAIL.yaml |
   | has-policy-PASS.yaml |
   | has-procedure-FAIL.yaml |
@@ -433,6 +441,16 @@ Examples:
   | security-level-PASS.yaml |
   | security-sensitivity-level-matches-security-impact-level-FAIL.yaml |
   | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
+  | ssp-component-has-poam-link-FAIL.yaml |
+  | ssp-component-has-poam-link-PASS.yaml |
+  | ssp-poam-item-exists-FAIL.yaml |
+  | ssp-poam-item-exists-PASS.yaml |
+  | ssp-poam-link-has-resource-fragment-FAIL.yaml |
+  | ssp-poam-link-has-resource-fragment-PASS.yaml |
+  | ssp-poam-link-references-valid-resource-FAIL.yaml |
+  | ssp-poam-link-references-valid-resource-PASS.yaml |
+  | ssp-poam-resource-has-oscal-link-FAIL.yaml |
+  | ssp-poam-resource-has-oscal-link-PASS.yaml |
   | statement-has-this-system-component-FAIL.yaml |
   | statement-has-this-system-component-PASS.yaml |
   | unique-inventory-item-asset-id-FAIL.yaml |

@@ -1,23 +1,22 @@
-import { BeforeAll, BeforeStep, Given, Then, When, setDefaultTimeout, world } from "@cucumber/cucumber";
+import { BeforeAll, Given, Then, When, setDefaultTimeout } from "@cucumber/cucumber";
 import { expect } from "chai";
 import {
+  existsSync,
+  mkdirSync,
   readFileSync,
   readdirSync,
   unlinkSync,
   writeFileSync,
-  mkdirSync,
-  existsSync,
 } from "fs";
 import { load } from "js-yaml";
-import { executeOscalCliCommand, resolveProfile, resolveProfileDocument, validateDocument} from "oscal";
-import {checkServerStatus} from 'oscal/dist/server.js'
-import { dirname, join,parse, resolve } from "path";
-import { Exception, Log, Result } from "sarif";
+import { JSDOM } from 'jsdom';
+import { executeOscalCliCommand, formatSarifOutput, resolveProfileDocument, validateDocument } from "oscal";
+import { checkServerStatus } from 'oscal/dist/server.js';
+import { dirname, join, parse, resolve } from "path";
+import { Log } from "sarif";
 import { fileURLToPath } from "url";
-import { parseString } from "xml2js";
-import {JSDOM} from 'jsdom'
 import { promisify } from "util";
-import {formatSarifOutput} from 'oscal'
+import { parseString } from "xml2js";
 let executor: 'oscal-cli'|'oscal-server' = process.env.OSCAL_EXECUTOR as 'oscal-cli'|'oscal-server' || 'oscal-cli'
 const quiet = process.env.OSCAL_TEST_QUIET === 'true'
 
@@ -686,6 +685,7 @@ Then('I should have valid results {string}', async function (fileToValidate) {
 
 Then('I should verify that all constraints follow the style guide constraint', async function () {
   const baseDir = join(__dirname, '..', '..');
+  const styleGuidePath = join(baseDir, 'src', 'validations', 'styleguides', 'fedramp-constraint-style.xml');
   const constraintDir = join(baseDir, 'src', 'validations', 'constraints');
   const constraintFiles = readdirSync(constraintDir).filter(file => 
     file.startsWith('fedramp') && file.endsWith('.xml')
@@ -701,7 +701,15 @@ Then('I should verify that all constraints follow the style guide constraint', a
       const fileContent = readFileSync(filePath, 'utf8');
       const dom = new JSDOM(fileContent, { contentType: 'text/xml' });
       const document = dom.window.document;
-
+      const {isValid,log} = await validateDocument(filePath,{flags:['disable-schema'],quiet,extensions:[styleGuidePath],module:"http://csrc.nist.gov/ns/oscal/metaschema/1.0"},executor)
+      writeFileSync(
+        join(
+          __dirname,
+          "../../sarif/",
+          fileName.split(".xml").join("").toString()+".sarif"
+        ),JSON.stringify(log, null,"\t"))  
+      const formattedErrors = (formatSarifOutput(log));
+      formattedErrors&&errors.push(formattedErrors)
       // Process each 'constraints' block separately
       document.querySelectorAll('constraints').forEach(constraintsNode => {
         // Get direct child elements with IDs within this constraints block

@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<plan-of-action-and-milestones uuid="714210d2-f8df-448c-be3e-e2213816cf79"
+    xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_poam_schema.xsd">
+    <metadata>
+        <title>Plan of Action and Milestones for Service B</title>
+        <last-modified>2024-12-12T13:57:28.355446-04:00</last-modified>
+        <version>1.0</version>
+        <oscal-version>1.1.2</oscal-version>
+        <prop name="marking" value="cui"/>
+        <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
+    </metadata>
+
+    <import-ssp href="fedramp-ssp-example.oscal.xml"/>
+
+    <system-id identifier-type="http://ietf.org/rfc/rfc4122">8101e04d-8305-4e73-bb95-6b59f645b143</system-id>
+
+    <observation uuid="b807eb6e-0c05-43bc-8438-799739615e35">
+        <title>Non-Authorized Service Assessment - Service B</title>
+        <description>
+            <p>Assessment of non-authorized Service B provided by Awesome Cloud for security controls and risk evaluation.</p>
+        </description>
+        <method>EXAMINE</method>
+        <type>finding</type>
+        <subject subject-uuid="11111111-2222-4000-8000-009000500002" type="component"/>
+        <collected>2024-12-12T13:00:00-04:00</collected>
+        <remarks>
+            <p>Service B is being utilized without explicit FedRAMP authorization coverage. While the service implements TLS 1.3 for connection security and includes authentication controls, its use outside the authorized service boundary requires risk assessment and continuous monitoring.</p>
+        </remarks>
+    </observation>
+
+    <risk uuid="485cfb95-20c7-45b0-991c-3f86a8e0cbd4">
+        <title>Use of Non-Authorized Service B from Awesome Cloud</title>
+        <description>
+            <p>Service B is being utilized from the Awesome Cloud environment but is not included within the explicit FedRAMP authorization boundary. This requires risk assessment and ongoing monitoring to ensure security controls are adequate.</p>
+        </description>
+        <statement>
+            <p>The use of non-authorized services, even from an authorized cloud provider, introduces potential security risks if not properly assessed and monitored. While Service B implements security controls including TLS 1.3 and authentication mechanisms, its operation outside the FedRAMP authorized boundary requires additional scrutiny and continuous risk management.</p>
+        </statement>
+        <status>open</status>
+        <characterization>
+            <origin>
+                <actor type="tool" actor-uuid="e7730080-71ce-4b20-bec4-84f33136fd58"/>
+            </origin>
+            <facet name="likelihood" value="moderate" system="https://fedramp.gov/ns/oscal"/>
+            <facet name="impact" value="moderate" system="https://fedramp.gov/ns/oscal"/>
+        </characterization>
+        <deadline>2025-03-31T04:59:00-05:00</deadline>
+        <response uuid="b28873f7-0a45-476d-9cd3-1d2ec0b8bca2" lifecycle="planned">
+            <title>Service B Security Assessment and Documentation</title>
+            <description>
+                <p>A comprehensive security assessment of Service B will be conducted to include:</p>
+                <ul>
+                    <li>Detailed documentation of security controls and their effectiveness</li>
+                    <li>Validation of TLS 1.3 implementation</li>
+                    <li>Review of authentication mechanisms</li>
+                    <li>Assessment of data protection measures</li>
+                    <li>Development of continuous monitoring procedures</li>
+                </ul>
+            </description>
+            <prop name="type" value="mitigate"/>
+            <task uuid="f8b1d4cb-d1a9-4932-9859-2e93b325f288" type="milestone">
+                <title>Complete Security Assessment of Service B</title>
+                <description>
+                    <p>Conduct full security assessment and document findings, including recommendations for additional controls if needed.</p>
+                </description>
+                <timing>
+                    <within-date-range start="2025-01-01T09:00:00-04:00" end="2025-03-31T17:00:00-04:00"/>
+                </timing>
+            </task>
+        </response>
+        <related-observation observation-uuid="b807eb6e-0c05-43bc-8438-799739615e35"/>
+    </risk>
+    <finding uuid="b807eb6e-0c05-43bc-8438-799739615e31">
+        <title>example finding</title>
+        <description>
+            <p>finding description</p>
+        </description>
+        <origin>
+            <actor type="autonmous" actor-uuid="1237eb6e-0c05-43bc-8438-799739615e31"></actor>
+        </origin>
+        <target type="self" target-id="c807eb6e-0c05-43bc-8438-799739615e31">
+            <description>
+                <p>example target description</p>
+            </description>
+            <status state="new"/>
+        </target>
+    </finding>
+    <poam-item uuid="b953b9fc-7e7e-410d-989b-c065d0a458d3">
+        <title>example poam item</title>
+        <description>
+            <p>poam item description</p>
+        </description>
+        <associated-risk risk-uuid="485cfb95-20c7-45b0-991c-3f86a8e0cbd4" />
+    </poam-item>
+</plan-of-action-and-milestones>