From b848c5b08c09fed786af5b3d0067d5d7ac456d36 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Mon, 23 Dec 2024 15:01:41 +0000
Subject: [PATCH] Fix control-implementation-status constraint

---
 .../ssp/xml/fedramp-ssp-example.oscal.xml     |   8 +-
 ...-control-implementation-status-INVALID.xml |   2 +-
 ...sp-control-implementation-status-VALID.xml | 627 ------------------
 .../fedramp-external-allowed-values.xml       |  12 +-
 .../control-implementation-status-PASS.yaml   |   2 +-
 5 files changed, 12 insertions(+), 639 deletions(-)
 delete mode 100644 src/validations/constraints/content/ssp-control-implementation-status-VALID.xml

diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
index 90403e53f..dfad612b1 100644
--- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -2485,7 +2485,7 @@ SSP authors must add implmentations for all required controls.
           </description>
           <link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
           <link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
-          <implementation-status state="operational"/>
+          <implementation-status state="implemented"/>
                     <responsible-role role-id="system-admin">
                         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
                     </responsible-role>
@@ -2500,7 +2500,7 @@ SSP authors must add implmentations for all required controls.
             <p>Component approach. This links to a component representing the Identity Management and Access Control Policy.</p>
             <p>That component contains a link to the policy, so it does not have to be linked here too.</p>
           </description>
-          <implementation-status state="operational"/>
+          <implementation-status state="implemented"/>
                     <responsible-role role-id="system-admin">
                         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
                     </responsible-role>
@@ -2543,7 +2543,7 @@ SSP authors must add implmentations for all required controls.
           <description>
             <p>Describe how Part b-1 is satisfied.</p>
           </description>
-          <implementation-status state="operational"/>
+          <implementation-status state="implemented"/>
                     <responsible-role role-id="system-admin">
                         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
                     </responsible-role>
@@ -2553,7 +2553,7 @@ SSP authors must add implmentations for all required controls.
           <description>
             <p>Describe how Part b-2 is satisfied.</p>
           </description>
-          <implementation-status state="operational"/>
+          <implementation-status state="implemented"/>
                     <responsible-role role-id="system-admin">
                         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
                     </responsible-role>
diff --git a/src/validations/constraints/content/ssp-control-implementation-status-INVALID.xml b/src/validations/constraints/content/ssp-control-implementation-status-INVALID.xml
index 2cb6b2176..ffeccd0af 100644
--- a/src/validations/constraints/content/ssp-control-implementation-status-INVALID.xml
+++ b/src/validations/constraints/content/ssp-control-implementation-status-INVALID.xml
@@ -7,7 +7,7 @@
     <implemented-requirement uuid="88888888-0000-4000-9000-000000000008" control-id="ac-1">
       <statement statement-id="ac-1_stmt.a" uuid="99999999-0000-4000-9000-000000000009">
         <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a">
-          <prop ns="http://fedramp.gov/ns/oscal" name="implementation-status" value="unsupported-status"/>
+          <implementation-status state="unsupported-status"/>
         </by-component>
       </statement>
     </implemented-requirement>
diff --git a/src/validations/constraints/content/ssp-control-implementation-status-VALID.xml b/src/validations/constraints/content/ssp-control-implementation-status-VALID.xml
deleted file mode 100644
index 05d4246bf..000000000
--- a/src/validations/constraints/content/ssp-control-implementation-status-VALID.xml
+++ /dev/null
@@ -1,627 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
-                      uuid="12345678-1234-4321-8765-123456789012">
-  <metadata>
-    <title>Enhanced Example System Security Plan</title>
-    <published>2024-08-01T14:30:00Z</published>
-    <last-modified>2024-08-01T14:30:00Z</last-modified>
-    <version>1.1</version>
-    <oscal-version>1.1.2</oscal-version>
-    <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
-    <prop name="fedramp-version" ns="http://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
-    <prop name="marking" value="cui"/>
-    <role id="authorizing-official">
-      <title>Authorizing Official</title>
-      <description>
-        <p>Senior official with authority to formally assume responsibility for operating a system at an acceptable level of risk.</p>
-      </description>
-    </role>
-    <role id="prepared-by">
-      <title>Prepared By</title>
-      <description>
-        <p>This party prepared the SSP.</p>
-      </description>
-    </role>
-    <role id="prepared-for">
-      <title>Prepared For</title>
-      <description>
-        <p>The organization for which this SSP was prepared. Typically the CSP.</p>
-      </description>
-    </role>
-    <role id="creator">
-      <title>Document Creator</title>
-    </role>
-    <role id="content-approver">
-      <title>Content Approver</title>
-    </role>
-    <role id="system-admin">
-      <title>System Administrator</title>
-    </role>
-    <role id="asset-owner">
-      <title>Asset Owner</title>
-    </role>
-    <role id="system-owner">
-      <title>System Owner</title>
-    </role>
-     <role id="authorizing-official-poc">
-       <title>Authorizing Official Point of Contact</title>
-     </role>
-     <role id="information-system-security-officer">
-       <title>Information System Security Officer (or Equivalent)</title>
-     </role>
-     <role id="system-poc-management">
-      <title>Information System Management Point of Contact (POC)</title>
-      <description>
-         <p>The highest level manager who is responsible for system operation on behalf of the System Owner.</p>
-      </description>
-      </role>
-      <role id="system-poc-technical">
-          <title>Information System Technical Point of Contact</title>
-          <description>
-            <p>The individual or individuals leading the technical operation of the system.</p>
-          </description>
-      </role>
-      <role id="system-poc-other">
-          <title>General Point of Contact (POC)</title>
-          <description>
-            <p>A general point of contact for the system, designated by the system owner.</p>
-          </description>
-      </role>
-
-    <location uuid="27b78960-59ef-4619-82b0-ae20b9c709ac">
-      <title>CSP HQ</title>
-      <address type="work">
-        <addr-line>Suite 0000</addr-line>
-        <addr-line>1234 Some Street</addr-line>
-        <city>Haven</city>
-        <state>ME</state>
-        <postal-code>00000</postal-code>
-        <country>US</country>
-      </address>
-    </location>
-    <location uuid="11111112-0000-4000-9001-000000000009">
-      <address >
-        <country>US</country>
-      </address>
-      <prop name="type" value="data-center" class="primary"/>
-    </location>
-    <location uuid="11111112-0000-4000-9000-000000000003">
-      <address >
-        <country>US</country>
-      </address>
-      <prop name="type" value="data-center" class="alternate"/>
-    </location>
-    <party uuid="3360e343-9860-4bda-9dfc-ff427c3dfab6" type="person">
-      <name>Person Name 1</name>
-      <prop name="job-title" value="Individual's Title"/>
-      <prop name="mail-stop" value="Mailstop A-1"/>
-      <email-address>name@example.com</email-address>
-      <telephone-number>2020000001</telephone-number>
-      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
-      <member-of-organization>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</member-of-organization>
-    </party>
-    <party uuid="6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" type="organization">
-      <name>Cloud Service Provider (CSP) Name</name>
-      <short-name>CSP Acronym/Short Name</short-name>
-      <link href="#31a46c4f-2959-4287-bc1c-67297d7da60b" rel="logo"/>
-      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
-    </party>
-    <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
-      <name>Example Organization</name>
-      <short-name>ExOrg</short-name>
-      <link rel="website" href="https://example.com"/>
-    </party>
-    <party uuid="22222222-0000-4000-9000-000000000002" type="person">
-      <name>Jane Doe</name>
-      <email-address>jane.doe@example.com</email-address>
-    <address type="work"  />
-    </party>
-
-    <responsible-party role-id="prepared-by">
-      <party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="prepared-for">
-      <party-uuid>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="creator">
-      <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="content-approver">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
-
-    <responsible-party role-id="system-owner">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="authorizing-official">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="authorizing-official-poc">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="system-poc-management">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="system-poc-technical">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="system-poc-other">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="information-system-security-officer">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
-
-    <remarks>
-      <p>This SSP is an example for demonstration purposes.</p>
-    </remarks>
-  </metadata>
-  
-  <import-profile href="../../../../dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml"/>
-  
-  <system-characteristics>
-    <system-id identifier-type="http://fedramp.gov/ns/oscal">F00000001</system-id>
-    <system-name>Enhanced Example System</system-name>
-    <system-name-short>System's Short Name or Acronym</system-name-short>
-    <description>
-      <p>This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.</p>
-    </description>
-    <prop name="cloud-deployment-model" value="public-cloud">
-      <remarks>
-        <p>Remarks are required if deployment model is "hybrid-cloud" or "other". Optional otherwise.</p>
-      </remarks>
-    </prop>
-    <prop name="cloud-service-model" value="other">
-      <remarks>
-        <p>Remarks are required if service model is "other". Optional otherwise.</p>
-      </remarks>
-    </prop>
-    <prop name='authorization-type' value='fedramp-agency' ns="http://fedramp.gov/ns/oscal"/>
-    <prop name="identity-assurance-level" value="2"/>
-    <prop name="authenticator-assurance-level" value="2"/>
-    <prop name="federation-assurance-level" value="2"/>
-    <prop ns="http://fedramp.gov/ns/oscal" name="fully-operational-date" value="2023-01-01+00:00"/>
-    <security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
-    <system-information>
-      <information-type  uuid="33333333-0000-4000-9000-000000000003">
-        <title>Financial Information</title>
-        <description>
-          <p>Contains sensitive financial data related to organizational operations.</p>
-        </description>
-        <categorization system="https://doi.org/10.6028/NIST.SP.800-60v2r1">
-          <information-type-id>C.2.8.12</information-type-id>
-        </categorization>
-        <confidentiality-impact>
-          <base>fips-199-high</base>
-          <selected>fips-199-high</selected>
-          <!-- adjustment-justification removed to ensure cia-impact-has-adjustment-justification passes when base and selected have the same impact level -->
-        </confidentiality-impact>
-        <integrity-impact>
-          <base>fips-199-moderate</base>
-          <selected>fips-199-low</selected>
-          <adjustment-justification>
-            <p>Required if the base and selected values do not match.</p>
-          </adjustment-justification>
-        </integrity-impact>
-        <availability-impact>
-          <base>fips-199-high</base>
-          <selected>fips-199-low</selected>
-          <adjustment-justification>
-            <p>Required if the base and selected values do not match.</p>
-          </adjustment-justification>
-        </availability-impact>
-      </information-type>
-    </system-information>
-    <security-impact-level>
-      <security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
-      <security-objective-integrity>fips-199-moderate</security-objective-integrity>
-      <security-objective-availability>fips-199-moderate</security-objective-availability>
-    </security-impact-level>
-    <status state="operational"/>
-    <authorization-boundary>
-      <description>
-        <p>The authorization boundary includes all components within the main data center and the disaster recovery site.</p>
-      </description>
-      <diagram uuid="dbf46c27-52a9-49c4-beb6-b6399cd75497">
-            <description>
-               <p>A diagram-specific explanation.</p>
-            </description>
-            <link href="#d2eb3c18-6754-4e3a-a933-03d289e3fad5" rel="diagram"/>
-            <caption>Authorization Boundary Diagram</caption>
-         </diagram>
-    </authorization-boundary>
-    <network-architecture>
-      <description>
-        <p>A holistic, top-level explanation of the network architecture.</p>
-      </description>
-      <diagram uuid="e97c3395-433a-48c1-8cc7-dd1e1555941c">
-        <description>
-          <p>A diagram-specific explanation.</p>
-        </description>
-        <link href="#61081e81-850b-43c1-bf43-1ecbddcb9e7f" rel="diagram"/>
-        <caption>Network Diagram</caption>
-      </diagram>
-    </network-architecture>
-    <data-flow>
-      <description>
-        <p>A holistic, top-level explanation of the system's data flows.</p>
-      </description>
-      <diagram uuid="e3b98448-4219-46a5-b229-412423c566f3">
-        <description>
-          <p>A diagram-specific explanation.</p>
-        </description>
-        <link href="#ac5d7535-f3b8-45d3-bf3b-735c82c64547" rel="diagram"/>
-        <caption>Data Flow Diagram</caption>
-      </diagram>
-    </data-flow>
-  </system-characteristics>
-  
-  <system-implementation>
-
-    <leveraged-authorization uuid="233e0f09-fe5e-47e2-bca3-5f32df75e57a">
-      <title>GovCloud</title>
-      <prop ns="http://fedramp.gov/ns/oscal" name="leveraged-system-identifier" value="F1603047866"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="authorization-type" value="fedramp-agency"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="impact-level" value="fips-199-moderate"/>
-      <link href="//path/to/leveraged_system_ssp.xml"/>
-      <party-uuid>f0bc13a4-3303-47dd-80d3-380e159c8362</party-uuid>
-      <date-authorized>2015-01-01</date-authorized>
-      <remarks>
-        <p>Use one leveraged-authorization assembly for each underlying system. In the legacy world, these may be general support systems.</p>
-        <p>The link fields are optional, but preferred when known. Often, a leveraging system's SSP author will not have access to the leveraged system's SSP, but should have access to the leveraged system's CRM.</p>
-      </remarks>
-    </leveraged-authorization>
-
-    <user uuid="44444444-0000-4000-9000-000000000004">
-      <title>System Administrator</title>
-      <prop name="type" value="internal"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="privilege-level" value="read-write"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="sensitivity" value="high-risk"/>
-      <role-id>system-admin</role-id>
-      <authorized-privilege>
-        <title>Admin</title>
-        <description><p>admin user</p></description>
-        <function-performed>administration</function-performed>
-      </authorized-privilege>
-    </user>
-    
-    <component uuid="55555555-0000-4000-9000-000000000005" type="this-system">
-      <title>Primary Application Server</title>
-      <description>
-        <p>Main application server hosting the core system functionality.</p>
-      </description>
-      <purpose>main line</purpose>
-      <status state="operational"/>
-      <responsible-role role-id="system-admin">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-role>
-      <remarks>
-        <p>This is the primary application server for the system.</p>
-      </remarks>
-    </component>
-    <component uuid="66666666-0000-4000-9000-000000000007" type="service">
-      <title>Firebase CLI Connection</title>
-      <description>
-        <p>CLI for updating firebase Secure connection to an external API for data enrichment.</p>
-      </description>
-      <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
-        <remarks>
-          <p>Some description of the authentication method.</p>
-        </remarks>
-      </prop>
-      <prop name="interconnection-security" value="vpn" ns="http://fedramp.gov/ns/oscal"/>
-      <prop name="interconnection-direction" value="in/out" ns="http://fedramp.gov/ns/oscal"/>
-      <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
-      <prop name="asset-type" value="cli"/>
-      <prop name="implementation-point" value="external"/>
-      <status state="operational"/>
-      <responsible-role role-id="system-admin">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-role>
-      <remarks>
-        <p>This connection is used for secure data exchange with external systems.</p>
-      </remarks>
-    </component>
-    <component uuid="6ac88fd2-7c7b-4357-af2e-f22ccd3ead26" type="system">
-      <title>An External Leveraged System</title>
-      <description>
-        <p>An external leveraged system.</p>
-      </description>
-      <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
-      <prop name="implementation-point" value="external"/>
-      <prop name="nature-of-agreement" ns="http://fedramp.gov/ns/oscal" value="sla"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
-        <remarks>
-          <p>Some description of the external authentication method.</p>
-        </remarks>
-      </prop>
-      <status state="operational"/>
-      <responsible-role role-id="provider">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-role>
-      <responsible-role role-id="system-admin">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-role>
-      <responsible-role role-id="administrator">
-        <prop name="privilege-uuid" value="44444444-0000-4000-9000-000000000004" ns="http://fedramp.gov/ns/oscal" />
-      </responsible-role>
-    </component>
-
-    <component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
-      <title>External API Connection</title>
-      <description>
-        <p>Secure connection to an external API for data enrichment.</p>
-      </description>
-      <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
-      <prop name="connection-security" value="vpn" ns="http://fedramp.gov/ns/oscal"/>
-      <prop name="interconnection-security" value="vpn" ns="http://fedramp.gov/ns/oscal"/>
-      <prop name="interconnection-direction" value="in/out" ns="http://fedramp.gov/ns/oscal"/>
-      <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
-      <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
-        <remarks>
-          <p>Some description of the authentication method.</p>
-        </remarks>
-      </prop>
-      <status state="operational"/>
-      <responsible-role role-id="provider">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-role>
-      <responsible-role role-id="system-admin">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-role>
-      <remarks>
-        <p>This connection is used for secure data exchange with external systems.</p>
-      </remarks>
-    </component>
-
-    <component uuid="77777777-0000-4000-9000-000000000007" type="software">
-      <title>Name of External System</title>
-      <description>
-          <p>Briefly describe the external system.</p>
-      </description>
-      <prop name="connection-security" value="vpn" ns="http://fedramp.gov/ns/oscal"/>
-      <prop name="direction" value="in/out" ns="http://fedramp.gov/ns/oscal"/>      
-      <prop name="asset-type" value="cli"/>
-      <prop name="implementation-point" value="external"/>
-      <prop name="nature-of-agreement" ns="http://fedramp.gov/ns/oscal" value="isa"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
-        <remarks>
-          <p>Some description of the authentication method.</p>
-        </remarks>
-      </prop>
-      <status state="operational"/>
-      <responsible-role role-id="provider">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-role>
-      <responsible-role role-id="system-admin">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-role>
-    </component>
-    
-    <inventory-item uuid="77777777-0000-4000-9000-000000000007">
-      <description>
-        <p>Primary database server</p>
-      </description>
-      <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
-      <prop name="asset-type" value="database"/>
-      <prop name="allows-authenticated-scan" value="yes"/>
-      <prop name="public" value="no"/>
-      <prop name="virtual" value="yes"/>
-      <prop name="scan-type" value="database" ns="http://fedramp.gov/ns/oscal"/>
-      <responsible-party role-id="asset-owner">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-party>
-      <implemented-component component-uuid="55555555-0000-4000-9000-000000000005">
-        <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
-      </implemented-component>
-    </inventory-item>
-
-    <inventory-item uuid="77777777-0000-4000-9001-000000000007">
-      <description>
-        <p>Secondary database server</p>
-      </description>
-      <prop name="asset-id" value="DB-002" ns="http://csrc.nist.gov/ns/oscal"/>
-      <prop name="asset-type" value="database"/>
-      <prop name="allows-authenticated-scan" value="yes"/>
-      <prop name="public" value="no"/>
-      <prop name="virtual" value="yes"/>
-      <prop name="scan-type" value="database" ns="http://fedramp.gov/ns/oscal"/>
-      <responsible-party role-id="asset-owner">
-        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-      </responsible-party>
-      <implemented-component component-uuid="55555555-0000-4000-9001-000000000005">
-        <prop name="asset-id" value="DB-002" ns="http://csrc.nist.gov/ns/oscal"/>
-      </implemented-component>
-    </inventory-item>
-
-  </system-implementation>
-  
-  <control-implementation>
-    <description>
-      <p>Implementation of controls for the Enhanced Example System</p>
-    </description>
-    <implemented-requirement uuid="88888888-0000-4000-9000-000000000008" control-id="ac-1">
-      <prop name="control-origination" value="sp-system" ns="http://fedramp.gov/ns/oscal"/>
-      <prop name="implementation-status" value="partial" ns="http://fedramp.gov/ns/oscal"/>
-      <statement statement-id="ac-1_stmt.a" uuid="99999999-0000-4000-9000-000000000009">
-        <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a">
-          <description>
-            <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p>
-          </description>
-          <prop ns="http://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/>
-          <responsible-role role-id="system-admin">
-            <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-          </responsible-role>
-        </by-component>      
-      </statement>
-    </implemented-requirement>
-    
-    <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8">
-      <prop name="control-origination" value="sp-system" ns="http://fedramp.gov/ns/oscal"/>
-      <statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c">
-        <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="dddddddd-0000-4000-9000-00000000000d">
-          <description>
-            <p>Information System Component Inventory (CM-8) is partially implemented.</p>
-          </description>
-          <prop ns="http://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/>
-          <responsible-role role-id="system-admin">
-            <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-          </responsible-role>
-        </by-component>      
-      </statement>
-    </implemented-requirement>
-  </control-implementation>
-  
-  <back-matter>
-    <resource uuid="eeeeeeee-0000-4000-9000-00000000000e">
-      <title>Access Control Policy</title>
-      <description>
-        <p>Detailed access control policy document</p>
-      </description>
-      <prop name="type" value="policy" ns="http://fedramp.gov/ns/oscal"/>
-      <rlink href="https://example.com/policies/access-control.pdf"/>
-    </resource>
-    <resource uuid="90a128ac-c850-48f6-8fff-a55692f80b41">
-      <title>User's Guide</title>
-      <description>
-         <p>User's Guide</p>
-      </description>
-      <prop name="type" value="users-guide"/>
-      <prop name="published" value="2023-01-01T00:00:00Z"/>
-      <rlink href="./documents/guides/sample_guide.pdf"/>
-      <remarks>
-         <p>Table 12-1 Attachments: User's Guide Attachment</p>
-         <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-      </remarks>
-   </resource>
-   <resource uuid="489112e1-57f2-4c29-8dd0-95b1442fbf3b">
-    <title>Document Title</title>
-    <description>
-       <p>Rules of Behavior</p>
-    </description>
-    <prop name="type" value="rules-of-behavior"/>
-    <prop name="published" value="2023-01-01T00:00:00Z"/>
-    <prop name="version" value="Document Version"/>
-    <rlink href="./documents/rob.docx" media-type="application/msword"/>
-    <base64 filename="rob.docx" media-type="application/msword">00000000</base64>
-    <remarks>
-       <p>Table 12-1 Attachments: Rules of Behavior (ROB)</p>
-       <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-    </remarks>
- </resource>
- <resource uuid="c7860916-f2f4-43aa-b578-d48cf8e6d381">
-  <title>Document Title</title>
-  <description>
-     <p>Contingency Plan (CP)</p>
-  </description>
-  <prop name="type" value="plan" class="information-system-contingency-plan"/>
-  <prop name="published" value="2023-01-01T00:00:00Z"/>
-  <prop name="version" value="Document Version"/>
-  <rlink href="./documents/cp.docx" media-type="application/msword"/>
-  <base64 filename="cp.docx" media-type="application/msword">00000000</base64>
-  <remarks>
-     <p>Table 12-1 Attachments: Contingency Plan (CP) Attachment</p>
-     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-  </remarks>
-</resource>
-<resource uuid="ab56cf27-0dae-40d6-89b7-d750137309af">
-  <title>Document Title</title>
-  <description>
-     <p>Configuration Management (CM) Plan</p>
-  </description>
-  <prop name="type" value="plan" class="configuration-management-plan"/>
-  <prop name="published" value="2023-01-01T00:00:00Z"/>
-  <prop name="version" value="Document Version"/>
-  <rlink href="./documents/CM_Plan.docx" media-type="application/msword"/>
-  <base64 filename="CM_Plan.docx" media-type="application/msword">00000000</base64>
-  <remarks>
-     <p>Table 12-1 Attachments: Configuration Management (CM) Plan Attachment</p>
-     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-  </remarks>
-</resource>
-<resource uuid="3f771ab5-8016-4571-98d1-f0fb962e15e2">
-  <title>Document Title</title>
-  <description>
-     <p>Incident Response (IR) Plan</p>
-  </description>
-  <prop name="type" value="plan" class="incident-response-plan"/>
-  <prop name="published" value="2023-01-01T00:00:00Z"/>
-  <prop name="version" value="Document Version"/>
-  <rlink href="./documents/IR_Plan.docx" media-type="application/msword"/>
-  <base64 filename="IR_Plan.docx" media-type="application/msword">00000000</base64>
-  <remarks>
-     <p>Table 12-1 Attachments: Incident Response (IR) Plan Attachment</p>
-     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-  </remarks>
-</resource>
-<resource uuid="49fb4631-1da2-41ca-b0b3-e1b1006d4025">
-  <title>Separation of Duties Matrix</title>
-  <description>
-     <p>Separation of Duties Matrix</p>
-  </description>
-  <prop ns="http://fedramp.gov/ns/oscal" name="type" value="separation-of-duties-matrix"/>
-  <prop name="published" value="2023-01-01T00:00:00Z"/>
-  <prop name="version" value="Document Version"/>
-  <rlink href="./documents/Sep_Matrix.docx" media-type="application/msword"/>
-  <base64 filename="Sep_Matrix.docx" media-type="application/msword">00000000</base64>
-  <remarks>
-     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-  </remarks>
-</resource>
-
-    <resource uuid="d2eb3c18-6754-4e3a-a933-03d289e3fad5">
-      <title>Boundary Diagram</title>
-      <description>
-        <p>The primary authorization boundary diagram.</p>
-      </description>
-      <prop name="type" value="image" class="authorization-boundary" />
-      <rlink href="./attachments/diagrams/boundary.png"/>
-      <base64 filename="logo.png" media-type="image/png">00000000</base64>
-      <remarks>
-        <p>Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)</p>
-        <p>This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"</p>
-        <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-        <p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
-        <p>Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.</p>
-      </remarks>
-    </resource>
-
-    <resource uuid="61081e81-850b-43c1-bf43-1ecbddcb9e7f">
-      <title>Network Diagram</title>
-      <description>
-        <p>The primary network diagram.</p>
-      </description>
-      <prop name="type" value="image" class="network-architecture" />
-      <!-- Use rlink and/or base64 -->
-      <rlink href="./attachments/diagrams/network.png"/>
-      <base64 filename="network.png" media-type="image/png">00000000</base64>
-      <remarks>
-        <p>Section 8.1, Figure 8-2 Network Diagram (graphic)</p>
-        <p>This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"</p>
-        <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-        <p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
-        <p>Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.</p>
-      </remarks>
-    </resource>
-
-    <resource uuid="ac5d7535-f3b8-45d3-bf3b-735c82c64547">
-      <title>Data Flow Diagram</title>
-      <description>
-        <p>The primary data flow diagram.</p>
-      </description>
-      <prop name="type" value="image" class="data-flow" />
-      <rlink href="./attachments/diagrams/dataflow.png"/>
-      <base64 filename="dataflow.png" media-type="image/png">00000000</base64>
-      <remarks>
-        <p>Section 8.1, Figure 8-3 Data Flow Diagram (graphic)</p>
-        <p>This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"</p>
-        <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-        <p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
-        <p>Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.</p>
-      </remarks>
-    </resource>
-  </back-matter>
-</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml
index 762dc6eac..43cfd8e9e 100644
--- a/src/validations/constraints/fedramp-external-allowed-values.xml
+++ b/src/validations/constraints/fedramp-external-allowed-values.xml
@@ -107,14 +107,14 @@
                 <enum value="network">A physical or virtual network.</enum>
             </allowed-values>
 
-            <allowed-values id="control-implementation-status" target="control-implementation/implemented-requirement/statement/by-component/prop[@name='implementation-status']/@value" allow-other="no" level="ERROR">
+            <allowed-values id="control-implementation-status" target="control-implementation/implemented-requirement/statement/by-component/implementation-status/@state" allow-other="no" level="ERROR">
                 <formal-name>Control Implementation Status</formal-name>
                 <description>The implementation status of the control.</description>
-                <enum value="implemented">Implemented</enum>
-                <enum value="partial">Partially Implemented</enum>
-                <enum value="planned">Planned</enum>
-                <enum value="alternative">Alternative Implementation</enum>
-                <enum value="not-applicable">Not Applicable</enum>
+                <enum value="implemented">The control is fully implemented.</enum>
+                    <enum value="partial">The control is partially implemented.</enum>
+                    <enum value="planned">There is a plan for implementing the control as explained in the remarks.</enum>
+                    <enum value="alternative">There is an alternative implementation for this control as explained in the remarks.</enum>
+                    <enum value="not-applicable">This control does not apply to this system as justified in the remarks.</enum>
             </allowed-values>
 
             <allowed-values id="deployment-model" target="system-characteristics/prop[@name='cloud-deployment-model']/@value" allow-other="no" level="ERROR">
diff --git a/src/validations/constraints/unit-tests/control-implementation-status-PASS.yaml b/src/validations/constraints/unit-tests/control-implementation-status-PASS.yaml
index bba1c533e..efc00d188 100644
--- a/src/validations/constraints/unit-tests/control-implementation-status-PASS.yaml
+++ b/src/validations/constraints/unit-tests/control-implementation-status-PASS.yaml
@@ -2,7 +2,7 @@
 test-case:
   name: The valid control implementation status test.
   description: Test that the specified control implementation status is valid.
-  content: ../content/ssp-control-implementation-status-VALID.xml
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
   expectations:
   - constraint-id: control-implementation-status
     result: pass
\ No newline at end of file