[WIP] No by-component w/o statement for GSA#770

Defining them outside of a statement is syntatically valid, but outside of FedRAMP best practices and is not accepted. We must add an additional constraint to indicate this should be removed. Co-Authored-By: Kylie Hunter <[email protected]>
aj-stein-gsa · Oct 18, 2024 · ef26bb6 · ef26bb6
1 parent 5a1e56c
commit ef26bb6
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -169,6 +169,9 @@
     <context>
         <metapath target="/system-security-plan/control-implementation"/>
         <constraints>
+            <expect id="implemented-requirement-outside-statement" target="implemented-requirement" test="not(exists(by-component))">
+                <message>A FedRAMP SSP MUST document only a component-based implemented requirement within a specific statement, not at the control level.</message>
+            </expect>
             <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0">
                 <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message>
             </expect>