FedRAMP business rules have been inferred from FedRAMP documents, FedRAMP OSCAL SSP documentation, and interviews.
FedRAMP business rules are expected to undergo change over time. It is hoped, and expected, that this manner of business rule definition and elaboration can be used to maintain both business rules and the related code for automated validation thereof.
The rules.xml
document defines business rules for FedRAMP SSPs. These are cast as English prose assertions. References to related FedRAMP documentation are present when possible.
The rules.xsd
document is an XML Schema definition
for rules.xml
syntax.
rules.xsl
is an XSL Transform which combines rules.xml
with ssp.sch
to produce an HTML5 document describing the structured rules and related Schematron assertions.
rules.css
is a companion CSS document used by rules.xsl
.
ssp.sch
is a document containing Schematron assertions which enable automated validation of FedRAMP OSCAL System Security Plans.
The primary Schematron elements are pattern
, rule
, and assert
.
A Schematron pattern
element allows Schematron rule
elements to be grouped together.
Schematron rule
elements specify a context - a locus within an XML document for which subordinate assertions apply - specified in XPath.
Schematron assert
elements specify a natural language assertion - i.e., a desired state - and a corresponding test.
fedramp-automation requires that each Schematron assert
element specifies
- An
id
attribute which is required for related unit tests cast in the XSpec language. - A
role
attribute specifying the relative import of a failed test: information, warning, error, fatal. - A
test
attribute which is an XPath statement evaluated in the context of the parentrule
. - The body of an
assert
contains a natural language assertion describing the desired (positive) outcome of the test. - A
diagnostics
attribute identifying a diagnostic message associated with a negative assertion outcome.
fedramp-automation extends Schematron with some additional constructs.
- Additional attributes on assertions for documentation references.
- Additional attributes on the
diagnostic
element which refer to the related assertion's test and context. - A reference to the related unit test document.
ssp.xspec
contains unit tests for assertions in ssp.sch
. The unit tests are written in XSpec.
sch.sch
is a set of Schematron assertions which can be employed to enforce FedRAMP Schematron coding rules (such as in a schema-driven editor).