Add the interconnection-component-has-remote-protocol constraint

features/fedramp_extensions.feature

@@ -116,6 +116,7 @@ Examples:
   | information-type-has-confidentiality-impact |
   | information-type-has-integrity-impact |
   | information-type-system |
+  | interconnection-component-has-remote-protocol |
   | interconnection-direction |
   | interconnection-security |
   | inventory-item-allows-authenticated-scan |
@@ -367,6 +368,8 @@ Examples:
   | information-type-id-PASS.yaml |
   | information-type-system-FAIL.yaml |
   | information-type-system-PASS.yaml |
+  | interconnection-component-has-remote-protocol-FAIL.yaml |
+  | interconnection-component-has-remote-protocol-PASS.yaml |
   | interconnection-direction-FAIL.yaml |
   | interconnection-direction-PASS.yaml |
   | interconnection-security-FAIL.yaml |

src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml

@@ -2288,6 +2288,49 @@ approved.</p>
       </protocol>
     </component>
 
+
+    <component uuid="11111111-2222-4000-8000-009000200002" type="interconnection">
+       <title>Authorized Connection Information System Name</title>
+       <description>
+          <p>Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p>
+       </description>
+       <prop name="nature-of-agreement" value="contract" ns="http://fedramp.gov/ns/oscal"/>
+       <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal">
+          <remarks>
+             <p>If 'yes', describe the authentication method in the remarks.</p>
+             <p>If 'no', explain why no authentication is used in the remarks.</p>
+             <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+          </remarks>
+       </prop>
+       <prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal"/>
+       <prop name="information-type" class="incoming" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal"/>
+       <prop name="ipv4-address" class="local" value="10.1.1.1"/>
+       <prop name="ipv6-address" class="local" value="::ffff:10.1.1.1"/>
+       <prop name="ipv4-address" class="remote" value="10.2.2.2"/>
+       <prop name="ipv6-address" class="remote" value="::ffff:10.2.2.2"/>
+       <prop name="fqdn" class="remote" value="www.example.com"/>
+       <prop name="uri" class="remote" value="https://sample.com#content"/>
+       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
+       <link rel="uri" href="https://www.example.com#content"/>
+       <status state="operational"/>
+       <responsible-role role-id="provider">
+          <party-uuid>44444444-2222-4000-8000-004000000001</party-uuid>
+       </responsible-role>
+       <responsible-role role-id="isa-poc-remote">
+          <party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
+       </responsible-role>
+       <responsible-role role-id="isa-poc-local">
+          <party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
+       </responsible-role>
+       <responsible-role role-id="administrator">
+          <prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal"/>
+          <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
+          <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
+          <party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
+       </responsible-role>
+    </component>
+
+
     <!-- Appendix M - Inventory -->
     <inventory-item uuid="11111111-2222-4000-8000-011000000001">
       <description>

src/validations/constraints/content/ssp-interconnection-component-has-remote-protocol-INVALID.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-model href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.3/oscal_ssp_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="df903c4c-6bb5-4b78-8a71-c5baa06a9f2e">
+   <system-implementation>
+        <component uuid="11111111-2222-4000-8000-009000200002" type="interconnection">
+           <title>Authorized Connection Information System Name</title>
+           <description>
+              <p>Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p>
+           </description>
+           <prop name="nature-of-agreement" value="contract" ns="http://fedramp.gov/ns/oscal"/>
+           <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal">
+              <remarks>
+                 <p>If 'yes', describe the authentication method in the remarks.</p>
+                 <p>If 'no', explain why no authentication is used in the remarks.</p>
+                 <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+              </remarks>
+           </prop>
+           <prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal"/>
+           <prop name="information-type" class="incoming" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal"/>
+           <prop name="ipv4-address" class="local" value="10.1.1.1"/>
+           <prop name="ipv6-address" class="local" value="::ffff:10.1.1.1"/>
+           <!--prop name="ipv4-address" class="remote" value="10.2.2.2"/>
+           <prop name="ipv6-address" class="remote" value="::ffff:10.2.2.2"/>
+           <prop name="fqdn" class="remote" value="www.example.com" ns="http://fedramp.gov/ns/oscal"/>
+           <prop name="uri" class="remote" value="https://sample.com#content" ns="http://fedramp.gov/ns/oscal"/>
+           <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
+           <link rel="uri" href="https://www.example.com#content"/-->
+           <status state="operational"/>
+           <responsible-role role-id="provider">
+              <party-uuid>44444444-2222-4000-8000-004000000001</party-uuid>
+           </responsible-role>
+           <responsible-role role-id="isa-poc-remote">
+              <party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
+           </responsible-role>
+           <responsible-role role-id="isa-poc-local">
+              <party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
+           </responsible-role>
+           <responsible-role role-id="administrator">
+              <prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal"/>
+              <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
+              <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
+              <party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
+           </responsible-role>
+        </component>
+   </system-implementation>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -600,6 +600,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>In a FedRAMP SSP, each information type property in a component MUST categorize the class of data flow as incoming to the system, outgoing from the system, or both.</message>
             </expect>
+            <expect id="interconnection-component-has-remote-protocol" target="component[@type='interconnection']" test="count(prop[@class='remote' and @name=('ipv4-address','ipv6-address','fqdn','uri')] | link[@rel='uri']) &gt;= 1" level="ERROR">
+                <formal-name>Interconnection Component Has Remote Protocols</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
+                <message>In a FedRAMP SSP, an interconnection component MUST have at least one remote IPv4 Address, IPv6 Address, URI, or FQDN.</message>
+            </expect>
             <expect id="inventory-item-and-component-has-public" target="(inventory-item | component[@type='service' and prop[@name='implementation-point' and @value='internal']])" test="count(prop[@name='public']) = 1" level="ERROR">
                 <formal-name>Inventory Item and Component Has Public</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>

src/validations/constraints/unit-tests/interconnection-component-has-remote-protocol-FAIL.yaml

@@ -0,0 +1,8 @@
+# Driver for the invalid interconnection-component-has-remote-protocol constraint unit test.
+test-case:
+  name: The invalid interconnection-component-has-remote-protocol constraint unit test.
+  description: Test that the FedRAMP SSP interconnection component does not have remote IPv4 Address, IPv6 Address, URI, or FQDN.
+  content: ../content/ssp-interconnection-component-has-remote-protocol-INVALID.xml
+  expectations:
+  - constraint-id: interconnection-component-has-remote-protocol
+    result: fail

src/validations/constraints/unit-tests/interconnection-component-has-remote-protocol-PASS.yaml

@@ -0,0 +1,8 @@
+# Driver for the valid interconnection-component-has-remote-protocol constraint unit test.
+test-case:
+  name: The valid interconnection-component-has-remote-protocol constraint unit test.
+  description: Test that the FedRAMP SSP interconnection component has at least one remote IPv4 Address, IPv6 Address, URI, or FQDN.
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+  - constraint-id: interconnection-component-has-remote-protocol
+    result: pass