From cdf45457fefeed2b4c0f53164e73a2a8f6cef76c Mon Sep 17 00:00:00 2001
From: Mr Wand <paul.n.wand@gsa.gov>
Date: Fri, 3 Jan 2025 12:24:07 -0500
Subject: [PATCH 01/12] add inventory item constraints

---
 features/fedramp_extensions.feature           | 18 ++++++
 .../ssp/xml/fedramp-ssp-example.oscal.xml     | 44 +++++++++++++
 ...henticated-scan-no-has-remarks-INVALID.xml | 27 ++++++++
 .../ssp-end-of-life-date-type-INVALID.xml     | 22 +++++++
 ...inventory-item-has-asset-owner-INVALID.xml | 13 ++++
 ...sp-inventory-item-has-function-INVALID.xml | 13 ++++
 ...p-inventory-item-has-scan-type-INVALID.xml | 13 ++++
 .../ssp-scan-type-has-remarks-INVALID.xml     | 16 +++++
 .../fedramp-external-constraints.xml          | 64 ++++++++++++++++++-
 ...uthenticated-scan-no-has-remarks-FAIL.yaml |  9 +++
 ...uthenticated-scan-no-has-remarks-PASS.yaml |  9 +++
 .../end-of-life-date-type-FAIL.yaml           |  7 ++
 .../end-of-life-date-type-PASS.yaml           |  7 ++
 ...t-inventory-item-has-asset-owner-FAIL.yaml |  9 +++
 ...t-inventory-item-has-asset-owner-PASS.yaml |  9 +++
 .../inventory-item-has-function-FAIL.yaml     |  9 +++
 .../inventory-item-has-function-PASS.yaml     |  9 +++
 .../inventory-item-has-scan-type-FAIL.yaml    |  9 +++
 .../inventory-item-has-scan-type-PASS.yaml    |  9 +++
 .../scan-type-has-remarks-FAIL.yaml           |  7 ++
 .../scan-type-has-remarks-PASS.yaml           |  7 ++
 21 files changed, 328 insertions(+), 2 deletions(-)
 create mode 100644 src/validations/constraints/content/ssp-authenticated-scan-no-has-remarks-INVALID.xml
 create mode 100644 src/validations/constraints/content/ssp-end-of-life-date-type-INVALID.xml
 create mode 100644 src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
 create mode 100644 src/validations/constraints/content/ssp-inventory-item-has-function-INVALID.xml
 create mode 100644 src/validations/constraints/content/ssp-inventory-item-has-scan-type-INVALID.xml
 create mode 100644 src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/authenticated-scan-no-has-remarks-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/authenticated-scan-no-has-remarks-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/end-of-life-date-type-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/end-of-life-date-type-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/high-impact-inventory-item-has-asset-owner-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/high-impact-inventory-item-has-asset-owner-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/inventory-item-has-function-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/inventory-item-has-function-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/inventory-item-has-scan-type-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/inventory-item-has-scan-type-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/scan-type-has-remarks-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/scan-type-has-remarks-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 72db236e5..b07a8e19c 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -28,6 +28,7 @@ Examples:
   | address-type |
   | aggregate-parameters-warning |
   | attachment-type |
+  | authenticated-scan-no-has-remarks |
   | authentication-method-has-remarks |
   | authorization-type |
   | by-component-has-responsible-role |
@@ -48,6 +49,7 @@ Examples:
   | data-center-primary |
   | data-center-us |
   | deployment-model |
+  | end-of-life-date-type |
   | external-system-nature-of-agreement |
   | extraneous-implemented-requirements |
   | fedramp-citations-has-correct-link |
@@ -103,6 +105,7 @@ Examples:
   | has-system-id |
   | has-system-name-short |
   | has-user-guide |
+  | high-impact-inventory-item-has-asset-owner |
   | implementation-status-has-remarks |
   | import-profile-has-available-document |
   | import-profile-resolves-to-fedramp-content |
@@ -118,6 +121,8 @@ Examples:
   | interconnection-security |
   | inventory-item-allows-authenticated-scan |
   | inventory-item-and-component-has-public |
+  | inventory-item-has-function |
+  | inventory-item-has-scan-type |
   | inventory-item-has-valid-mac-address |
   | inventory-item-has-vendor-name |
   | inventory-item-public |
@@ -151,6 +156,7 @@ Examples:
   | role-defined-system-owner |
   | saas-has-leveraged-authorization |
   | scan-type |
+  | scan-type-has-remarks |
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
   | statement-has-this-system-component |
@@ -186,6 +192,8 @@ Examples:
   | aggregate-parameters-warning-PASS.yaml |
   | attachment-type-FAIL.yaml |
   | attachment-type-PASS.yaml |
+  | authenticated-scan-no-has-remarks-FAIL.yaml |
+  | authenticated-scan-no-has-remarks-PASS.yaml |
   | authentication-method-has-remarks-FAIL.yaml |
   | authentication-method-has-remarks-PASS.yaml |
   | authorization-type-FAIL.yaml |
@@ -226,6 +234,8 @@ Examples:
   | data-center-us-PASS.yaml |
   | deployment-model-FAIL.yaml |
   | deployment-model-PASS.yaml |
+  | end-of-life-date-type-FAIL.yaml |
+  | end-of-life-date-type-PASS.yaml |
   | external-system-nature-of-agreement-FAIL.yaml |
   | external-system-nature-of-agreement-PASS.yaml |
   | extraneous-implemented-requirements-FAIL.yaml |
@@ -336,6 +346,8 @@ Examples:
   | has-system-name-short-PASS.yaml |
   | has-user-guide-FAIL.yaml |
   | has-user-guide-PASS.yaml |
+  | high-impact-inventory-item-has-asset-owner-FAIL.yaml |
+  | high-impact-inventory-item-has-asset-owner-PASS.yaml |
   | implementation-status-has-remarks-FAIL.yaml |
   | implementation-status-has-remarks-PASS.yaml |
   | import-profile-has-available-document-FAIL.yaml |
@@ -366,6 +378,10 @@ Examples:
   | inventory-item-allows-authenticated-scan-PASS.yaml |
   | inventory-item-and-component-has-public-FAIL.yaml |
   | inventory-item-and-component-has-public-PASS.yaml |
+  | inventory-item-has-function-FAIL.yaml |
+  | inventory-item-has-function-PASS.yaml |
+  | inventory-item-has-scan-type-FAIL.yaml |
+  | inventory-item-has-scan-type-PASS.yaml |
   | inventory-item-has-valid-mac-address-FAIL.yaml |
   | inventory-item-has-valid-mac-address-PASS.yaml |
   | inventory-item-has-vendor-name-FAIL.yaml |
@@ -432,6 +448,8 @@ Examples:
   | saas-has-leveraged-authorization-PASS.yaml |
   | scan-type-FAIL.yaml |
   | scan-type-PASS.yaml |
+  | scan-type-has-remarks-FAIL.yaml |
+  | scan-type-has-remarks-PASS.yaml |
   | security-level-FAIL.yaml |
   | security-level-PASS.yaml |
   | security-sensitivity-level-matches-security-impact-level-FAIL.yaml |
diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
index b88e17809..de2e14e8d 100644
--- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -2344,6 +2344,11 @@ approved.</p>
           <p>If no, explain why. If yes, omit remark.</p>
         </remarks>
       </prop>
+      <prop name='function' value="none">
+        <remarks>
+          <p>it has no function</p>
+        </remarks>
+      </prop>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <responsible-party role-id="asset-owner">
         <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
@@ -2372,6 +2377,11 @@ approved.</p>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
+            <prop name='function' value="none">
+        <remarks>
+          <p>it has no function</p>
+        </remarks>
+      </prop>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000000008"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000004">
@@ -2387,6 +2397,12 @@ approved.</p>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
+      <prop name='function' value="none">
+        <remarks>
+          <p>it has no function</p>
+        </remarks>
+      </prop>
+
       <implemented-component component-uuid="11111111-2222-4000-8000-009000500006"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000005">
@@ -2402,6 +2418,11 @@ approved.</p>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
+            <prop name='function' value="none">
+        <remarks>
+          <p>it has no function</p>
+        </remarks>
+      </prop>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000000011"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000006">
@@ -2415,11 +2436,18 @@ approved.</p>
       <prop name="virtual" value="no"/>
       <prop name="public" value="no"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="is-scanned" value="no">
         <remarks>
           <p>Asset wasn't running at time of scan.</p>
         </remarks>
       </prop>
+            <prop name='function' value="none">
+        <remarks>
+          <p>it has no function</p>
+        </remarks>
+      </prop>
+
       <implemented-component component-uuid="11111111-2222-4000-8000-009000500007"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000007">
@@ -2435,6 +2463,11 @@ approved.</p>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
+      <prop name='function' value="none">
+        <remarks>
+          <p>it has no function</p>
+        </remarks>
+      </prop>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000000008"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000008">
@@ -2453,6 +2486,12 @@ approved.</p>
           <p>Asset wasn't running at time of scan.</p>
         </remarks>
       </prop>
+      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
+      <prop name='function' value="none">
+        <remarks>
+          <p>it has no function</p>
+        </remarks>
+      </prop>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000500005"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000009">
@@ -2468,6 +2507,11 @@ approved.</p>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
+      <prop name='function' value="email">
+        <remarks>
+          <p>it sends emails</p>
+        </remarks>
+      </prop>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000000018"/>
     </inventory-item>
   </system-implementation>
diff --git a/src/validations/constraints/content/ssp-authenticated-scan-no-has-remarks-INVALID.xml b/src/validations/constraints/content/ssp-authenticated-scan-no-has-remarks-INVALID.xml
new file mode 100644
index 000000000..2a39a9be9
--- /dev/null
+++ b/src/validations/constraints/content/ssp-authenticated-scan-no-has-remarks-INVALID.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  
+  <system-implementation>
+    <inventory-item uuid="77777777-0000-4000-9000-000000000007">
+      <description>
+        <p>Primary database server</p>
+      </description>
+      <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
+      <prop name="asset-type" value="database"/>
+      <prop name="allows-authenticated-scan" value="no"/>
+      <prop name="public" value="no"/>
+      <prop name="virtual" value="yes"/>
+      <prop name="scan-type" value="database" ns="http://fedramp.gov/ns/oscal"/>
+      <responsible-party role-id="asset-owner">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-party>
+      <implemented-component component-uuid="55555555-0000-4000-9000-000000000005">
+        <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
+      </implemented-component>
+    </inventory-item>
+  </system-implementation>
+
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-end-of-life-date-type-INVALID.xml b/src/validations/constraints/content/ssp-end-of-life-date-type-INVALID.xml
new file mode 100644
index 000000000..f8ec6e421
--- /dev/null
+++ b/src/validations/constraints/content/ssp-end-of-life-date-type-INVALID.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+    uuid="12345678-1234-4321-8765-123456789012">
+    <metadata>
+        <title>Test SSP for End of Life Date Type Validation</title>
+        <last-modified>2023-12-08T12:00:00Z</last-modified>
+        <version>1.0</version>
+        <oscal-version>1.0.0</oscal-version>
+    </metadata>
+    <system-implementation>
+        <component uuid="11111111-0000-4000-9000-000000000001" type="software">
+            <title>Example Component</title>
+            <description>
+                <p>A component with an invalid end-of-life-date format</p>
+            </description>
+            <prop ns="http://fedramp.gov/ns/oscal" name="end-of-life-date" value="not-a-valid-date"/>
+            <status state="operational"/>
+        </component>
+    </system-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml b/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
new file mode 100644
index 000000000..fe940d32a
--- /dev/null
+++ b/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <inventory-item uuid="77777777-0000-4000-9000-000000000007">
+      <prop name="virtual" value="unsupported-virtual"/>
+    </inventory-item>
+  </system-implementation>
+
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-inventory-item-has-function-INVALID.xml b/src/validations/constraints/content/ssp-inventory-item-has-function-INVALID.xml
new file mode 100644
index 000000000..2d8409b5b
--- /dev/null
+++ b/src/validations/constraints/content/ssp-inventory-item-has-function-INVALID.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <inventory-item uuid="77777777-0000-4000-9000-000000000007">
+      <prop name="public" value="unsupported-public"/>
+    </inventory-item>
+  </system-implementation>
+
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-inventory-item-has-scan-type-INVALID.xml b/src/validations/constraints/content/ssp-inventory-item-has-scan-type-INVALID.xml
new file mode 100644
index 000000000..fe940d32a
--- /dev/null
+++ b/src/validations/constraints/content/ssp-inventory-item-has-scan-type-INVALID.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <inventory-item uuid="77777777-0000-4000-9000-000000000007">
+      <prop name="virtual" value="unsupported-virtual"/>
+    </inventory-item>
+  </system-implementation>
+
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml b/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml
new file mode 100644
index 000000000..7f8352cf3
--- /dev/null
+++ b/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0">
+    <component uuid="11111111-0000-4000-9000-000000000001" type="software">
+        <title>Example Component 1</title>
+        <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="other"/>
+    </component>
+    <component uuid="22222222-0000-4000-9000-000000000002" type="software">
+        <title>Example Component 2</title>
+        <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="not-applicable"/>
+    </component>
+<inventory-item>
+      <implemented-component component-uuid="11111111-0000-4000-9000-000000000001">
+        <prop name="asset-id" value="unique-asset-ID-3"/>
+      </implemented-component>
+</inventory-item>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 3016b1cf9..d31a42432 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <metaschema-meta-constraints xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 https://raw.githubusercontent.com/metaschema-framework/metaschema/refs/heads/develop/schema/xml/metaschema-meta-constraints.xsd">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <!-- ================== -->
     <!-- FedRAMP Extensions -->
     <!-- ================== -->
@@ -571,6 +571,17 @@
         </constraints>
     </context>
 
+    <context>
+        <metapath target="//(component | inventory-item)"/>
+        <constraints>
+            <matches id="end-of-life-date-type" target="prop[@ns='http://fedramp.gov/ns/oscal' and @name='end-of-life-date']/@value" datatype="date" level="ERROR">
+                <formal-name>End of Life Date Type</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/"/>
+                <message>When the end-of-life-date property is present, it MUST be in date format.</message>
+            </matches>
+        </constraints>
+    </context>
+
     <context>
         <metapath target="/system-security-plan/system-implementation"/>
         <constraints>
@@ -642,10 +653,54 @@
         </constraints>
     </context>
 
+    <context>
+        <metapath target="//inventory-item"/>
+        <constraints>
+            <let var="high-sensitivity" expression="/system-characteristics/security-sensitivity-level='fips-199-high'"/>
+            <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | //component[@uuid=./implemented-component/@component-uuid]/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
+                <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>For HIGH-impact systems, every inventory-item MUST identify an asset-owner or administrator property either within the inventory-item itself, or within the component linked by the inventory-item.</message>
+            </expect>
+            <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | //component[@uuid=./implemented-component/@component-uuid]/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
+                <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="fedramp_inventory_asset_owner"/>
+                <message>For HIGH-impact systems, every inventory-item MUST identify an asset-owner or administrator property either within the inventory-item itself, or within the component linked by the inventory-item.</message>
+            </expect>
+
+        </constraints>
+
+    </context>
+
+
+    <context>
+        <metapath target="//(inventory-item | component)"/>
+        <constraints>
+        <let var="high-sensitivity" expression="/system-characteristics/security-sensitivity-level='fips-199-high'"/>
+        <let var="moderate-sensitivity" expression="/system-characteristics/security-sensitivity-level='fips-199-moderate'"/>
+
+            <expect id="authenticated-scan-no-has-remarks" target="prop[@name='allows-authenticated-scan' and @value='no']" test="if ($high-sensitivity or $moderate-sensitivity) then exists(remarks) else true()" level="ERROR">
+                <formal-name>Authenticated Scan No Has Remarks</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>FedRAMP requires CSPs to provide justification for any high or moderate impact system inventory item that does not support authenticated scans.</message>
+            </expect>
+        </constraints>
+    </context>
+
     <context>
         <metapath target="/system-security-plan/system-implementation/inventory-item"/>
         <constraints>
             <let var ="component-uuid" expression="implemented-component/@component-uuid"/>
+            <expect id="inventory-item-has-function" target="." test="exists(prop[@name='function']/remarks) or exists(../component[@uuid=$component-uuid]/prop[@name='function']/remarks)" level="ERROR">
+                <formal-name>Inventory Item Has Function</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>Every inventory-item MUST describe the function provided by the item, either within the inventory-item itself, or within the component linked by the inventory-item.</message>
+            </expect>
+            <expect id="inventory-item-has-scan-type" target="." test="count(prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=./implemented-component/@component-uuid]/prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
+                <formal-name>Inventory Item Has Scan Type</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>Every inventory-item MUST indicate one or more scan type(s), either within the inventory-item itself, or within the component linked by the inventory-item.</message>
+            </expect>
              <expect id="inventory-item-has-valid-mac-address" target=".[prop[@name='mac-address']]/prop[@name='mac-address']" test="matches(@value, '^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\.[0-9a-fA-F]{4}\\.[0-9a-fA-F]{4})$')" level="ERROR">
                 <formal-name>Inventory Item Has Valid Mac Address</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
@@ -653,9 +708,14 @@
             </expect>
             <expect id="inventory-item-has-vendor-name" target="." test="count(prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
                 <formal-name>Inventory Item Has Vendor Name</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="fedramp_inventory_vendor_name"/>
                 <message>In a FedRAMP SSP, each inventory item MUST include the vendor name in the inventory item itself or within the linked component.</message>
             </expect>
+            <expect id="scan-type-has-remarks" target=". | //component[@uuid=./implemented-component/@component-uuid]" test="every $prop in prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other', 'not-applicable')] satisfies exists($prop/remarks)" level="ERROR">
+                <formal-name>Scan Type Has Remarks</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>When scan-type is 'other' or 'not-applicable', remarks MUST be provided to explain the selection.</message>
+            </expect>
         </constraints>
     </context>
 
diff --git a/src/validations/constraints/unit-tests/authenticated-scan-no-has-remarks-FAIL.yaml b/src/validations/constraints/unit-tests/authenticated-scan-no-has-remarks-FAIL.yaml
new file mode 100644
index 000000000..823a3d4ca
--- /dev/null
+++ b/src/validations/constraints/unit-tests/authenticated-scan-no-has-remarks-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for authenticated-scan-no-has-remarks
+  description: >-
+    This test case validates the behavior of constraint
+    authenticated-scan-no-has-remarks
+  content: ../content/ssp-authenticated-scan-no-has-remarks-INVALID.xml
+  expectations:
+    - constraint-id: authenticated-scan-no-has-remarks
+      result: fail
diff --git a/src/validations/constraints/unit-tests/authenticated-scan-no-has-remarks-PASS.yaml b/src/validations/constraints/unit-tests/authenticated-scan-no-has-remarks-PASS.yaml
new file mode 100644
index 000000000..4b917d3c5
--- /dev/null
+++ b/src/validations/constraints/unit-tests/authenticated-scan-no-has-remarks-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for authenticated-scan-no-has-remarks
+  description: >-
+    This test case validates the behavior of constraint
+    authenticated-scan-no-has-remarks
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: authenticated-scan-no-has-remarks
+      result: pass
diff --git a/src/validations/constraints/unit-tests/end-of-life-date-type-FAIL.yaml b/src/validations/constraints/unit-tests/end-of-life-date-type-FAIL.yaml
new file mode 100644
index 000000000..b4a27cea8
--- /dev/null
+++ b/src/validations/constraints/unit-tests/end-of-life-date-type-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for end-of-life-date-type
+  description: This test case validates the behavior of constraint end-of-life-date-type
+  content: ../content/ssp-end-of-life-date-type-INVALID.xml
+  expectations:
+    - constraint-id: end-of-life-date-type
+      result: fail
diff --git a/src/validations/constraints/unit-tests/end-of-life-date-type-PASS.yaml b/src/validations/constraints/unit-tests/end-of-life-date-type-PASS.yaml
new file mode 100644
index 000000000..98d522661
--- /dev/null
+++ b/src/validations/constraints/unit-tests/end-of-life-date-type-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for end-of-life-date-type
+  description: This test case validates the behavior of constraint end-of-life-date-type
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: end-of-life-date-type
+      result: pass
diff --git a/src/validations/constraints/unit-tests/high-impact-inventory-item-has-asset-owner-FAIL.yaml b/src/validations/constraints/unit-tests/high-impact-inventory-item-has-asset-owner-FAIL.yaml
new file mode 100644
index 000000000..8fb2b3e03
--- /dev/null
+++ b/src/validations/constraints/unit-tests/high-impact-inventory-item-has-asset-owner-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for high-impact-inventory-item-has-asset-owner
+  description: >-
+    This test case validates the behavior of constraint
+    high-impact-inventory-item-has-asset-owner
+  content: ../content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
+  expectations:
+    - constraint-id: high-impact-inventory-item-has-asset-owner
+      result: fail
diff --git a/src/validations/constraints/unit-tests/high-impact-inventory-item-has-asset-owner-PASS.yaml b/src/validations/constraints/unit-tests/high-impact-inventory-item-has-asset-owner-PASS.yaml
new file mode 100644
index 000000000..773f381ab
--- /dev/null
+++ b/src/validations/constraints/unit-tests/high-impact-inventory-item-has-asset-owner-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for high-impact-inventory-item-has-asset-owner
+  description: >-
+    This test case validates the behavior of constraint
+    high-impact-inventory-item-has-asset-owner
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: high-impact-inventory-item-has-asset-owner
+      result: pass
diff --git a/src/validations/constraints/unit-tests/inventory-item-has-function-FAIL.yaml b/src/validations/constraints/unit-tests/inventory-item-has-function-FAIL.yaml
new file mode 100644
index 000000000..f29ed1250
--- /dev/null
+++ b/src/validations/constraints/unit-tests/inventory-item-has-function-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for inventory-item-has-function
+  description: >-
+    This test case validates the behavior of constraint
+    inventory-item-has-function
+  content: ../content/ssp-inventory-item-has-function-INVALID.xml
+  expectations:
+    - constraint-id: inventory-item-has-function
+      result: fail
diff --git a/src/validations/constraints/unit-tests/inventory-item-has-function-PASS.yaml b/src/validations/constraints/unit-tests/inventory-item-has-function-PASS.yaml
new file mode 100644
index 000000000..50d8c2bc0
--- /dev/null
+++ b/src/validations/constraints/unit-tests/inventory-item-has-function-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for inventory-item-has-function
+  description: >-
+    This test case validates the behavior of constraint
+    inventory-item-has-function
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: inventory-item-has-function
+      result: pass
diff --git a/src/validations/constraints/unit-tests/inventory-item-has-scan-type-FAIL.yaml b/src/validations/constraints/unit-tests/inventory-item-has-scan-type-FAIL.yaml
new file mode 100644
index 000000000..ee3da2f1e
--- /dev/null
+++ b/src/validations/constraints/unit-tests/inventory-item-has-scan-type-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for inventory-item-has-scan-type
+  description: >-
+    This test case validates the behavior of constraint
+    inventory-item-has-scan-type
+  content: ../content/ssp-inventory-item-has-scan-type-INVALID.xml
+  expectations:
+    - constraint-id: inventory-item-has-scan-type
+      result: fail
diff --git a/src/validations/constraints/unit-tests/inventory-item-has-scan-type-PASS.yaml b/src/validations/constraints/unit-tests/inventory-item-has-scan-type-PASS.yaml
new file mode 100644
index 000000000..c6a340d53
--- /dev/null
+++ b/src/validations/constraints/unit-tests/inventory-item-has-scan-type-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for inventory-item-has-scan-type
+  description: >-
+    This test case validates the behavior of constraint
+    inventory-item-has-scan-type
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: inventory-item-has-scan-type
+      result: pass
diff --git a/src/validations/constraints/unit-tests/scan-type-has-remarks-FAIL.yaml b/src/validations/constraints/unit-tests/scan-type-has-remarks-FAIL.yaml
new file mode 100644
index 000000000..3b267403c
--- /dev/null
+++ b/src/validations/constraints/unit-tests/scan-type-has-remarks-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for scan-type-has-remarks
+  description: This test case validates the behavior of constraint scan-type-has-remarks
+  content: ../content/ssp-scan-type-has-remarks-INVALID.xml
+  expectations:
+    - constraint-id: scan-type-has-remarks
+      result: fail
diff --git a/src/validations/constraints/unit-tests/scan-type-has-remarks-PASS.yaml b/src/validations/constraints/unit-tests/scan-type-has-remarks-PASS.yaml
new file mode 100644
index 000000000..e1889714b
--- /dev/null
+++ b/src/validations/constraints/unit-tests/scan-type-has-remarks-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for scan-type-has-remarks
+  description: This test case validates the behavior of constraint scan-type-has-remarks
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: scan-type-has-remarks
+      result: pass

From 6daab98a7d7cedbb793ecf42518af5fc62fe1da8 Mon Sep 17 00:00:00 2001
From: Mr Wand <paul.n.wand@gsa.gov>
Date: Fri, 3 Jan 2025 13:27:16 -0500
Subject: [PATCH 02/12] update example file

Co-Authored-By: A.J. Stein <alexander.stein@gsa.gov>
---
 features/fedramp_extensions.feature            | 18 ++++++++++++++++++
 .../ssp/xml/fedramp-ssp-example.oscal.xml      |  1 +
 .../ssp-scan-type-has-remarks-INVALID.xml      | 10 +++++-----
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index a29d3c941..38fd678af 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -28,6 +28,7 @@ Examples:
   | address-type |
   | aggregate-parameters-warning |
   | attachment-type |
+  | authenticated-scan-no-has-remarks |
   | authentication-method-has-remarks |
   | authorization-type |
   | by-component-has-responsible-role |
@@ -49,6 +50,7 @@ Examples:
   | data-center-primary |
   | data-center-us |
   | deployment-model |
+  | end-of-life-date-type |
   | external-system-nature-of-agreement |
   | extraneous-implemented-requirements |
   | fedramp-citations-has-correct-link |
@@ -104,6 +106,7 @@ Examples:
   | has-system-id |
   | has-system-name-short |
   | has-user-guide |
+  | high-impact-inventory-item-has-asset-owner |
   | image-has-checksum |
   | implementation-status-has-remarks |
   | import-profile-has-available-document |
@@ -120,6 +123,8 @@ Examples:
   | interconnection-security |
   | inventory-item-allows-authenticated-scan |
   | inventory-item-and-component-has-public |
+  | inventory-item-has-function |
+  | inventory-item-has-scan-type |
   | inventory-item-has-valid-mac-address |
   | inventory-item-has-vendor-name |
   | inventory-item-or-component-has-asset-id |
@@ -154,6 +159,7 @@ Examples:
   | role-defined-system-owner |
   | saas-has-leveraged-authorization |
   | scan-type |
+  | scan-type-has-remarks |
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
   | statement-has-this-system-component |
@@ -189,6 +195,8 @@ Examples:
   | aggregate-parameters-warning-PASS.yaml |
   | attachment-type-FAIL.yaml |
   | attachment-type-PASS.yaml |
+  | authenticated-scan-no-has-remarks-FAIL.yaml |
+  | authenticated-scan-no-has-remarks-PASS.yaml |
   | authentication-method-has-remarks-FAIL.yaml |
   | authentication-method-has-remarks-PASS.yaml |
   | authorization-type-FAIL.yaml |
@@ -231,6 +239,8 @@ Examples:
   | data-center-us-PASS.yaml |
   | deployment-model-FAIL.yaml |
   | deployment-model-PASS.yaml |
+  | end-of-life-date-type-FAIL.yaml |
+  | end-of-life-date-type-PASS.yaml |
   | external-system-nature-of-agreement-FAIL.yaml |
   | external-system-nature-of-agreement-PASS.yaml |
   | extraneous-implemented-requirements-FAIL.yaml |
@@ -341,6 +351,8 @@ Examples:
   | has-system-name-short-PASS.yaml |
   | has-user-guide-FAIL.yaml |
   | has-user-guide-PASS.yaml |
+  | high-impact-inventory-item-has-asset-owner-FAIL.yaml |
+  | high-impact-inventory-item-has-asset-owner-PASS.yaml |
   | image-has-checksum-FAIL.yaml |
   | image-has-checksum-PASS.yaml |
   | implementation-status-has-remarks-FAIL.yaml |
@@ -373,6 +385,10 @@ Examples:
   | inventory-item-allows-authenticated-scan-PASS.yaml |
   | inventory-item-and-component-has-public-FAIL.yaml |
   | inventory-item-and-component-has-public-PASS.yaml |
+  | inventory-item-has-function-FAIL.yaml |
+  | inventory-item-has-function-PASS.yaml |
+  | inventory-item-has-scan-type-FAIL.yaml |
+  | inventory-item-has-scan-type-PASS.yaml |
   | inventory-item-has-valid-mac-address-FAIL.yaml |
   | inventory-item-has-valid-mac-address-PASS.yaml |
   | inventory-item-has-vendor-name-FAIL.yaml |
@@ -441,6 +457,8 @@ Examples:
   | saas-has-leveraged-authorization-PASS.yaml |
   | scan-type-FAIL.yaml |
   | scan-type-PASS.yaml |
+  | scan-type-has-remarks-FAIL.yaml |
+  | scan-type-has-remarks-PASS.yaml |
   | security-level-FAIL.yaml |
   | security-level-PASS.yaml |
   | security-sensitivity-level-matches-security-impact-level-FAIL.yaml |
diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
index f728aa44e..a82640925 100644
--- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -1781,6 +1781,7 @@ compliance (e.g., Module in Process).</p>
       <prop name="model" value="stable-slim"/>
       <prop name="version" value="11"/>
       <prop name="patch-level" value="Patch Level"/>
+      <prop name="asset-id" value="unique-asset-ID-3"/>
       <link rel="validation" href="#11111111-2222-4000-8000-009000000002"/>
       <link href="https://hub.docker.com/layers/library/debian/stable/images/sha256-e83913597ca9deb9d699316a9a9d806c2a87ed61195ac66ae0a8ac55089a84b9"/>
       <status state="operational"/>
diff --git a/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml b/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml
index 7f8352cf3..a4af0611d 100644
--- a/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml
+++ b/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml
@@ -8,9 +8,9 @@
         <title>Example Component 2</title>
         <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="not-applicable"/>
     </component>
-<inventory-item>
-      <implemented-component component-uuid="11111111-0000-4000-9000-000000000001">
-        <prop name="asset-id" value="unique-asset-ID-3"/>
-      </implemented-component>
-</inventory-item>
+    <inventory-item>
+        <implemented-component component-uuid="11111111-0000-4000-9000-000000000001">
+            <prop name="asset-id" value="unique-asset-ID-3"/>
+        </implemented-component>
+    </inventory-item>
 </system-security-plan>

From 315b4d6da5f868edb37c6024b88cd1b03a93a2e4 Mon Sep 17 00:00:00 2001
From: Mr Wand <paul.n.wand@gsa.gov>
Date: Fri, 3 Jan 2025 13:46:04 -0500
Subject: [PATCH 03/12] improve scan type constraint

---
 .../rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml     | 4 +++-
 .../content/ssp-scan-type-has-remarks-INVALID.xml           | 6 +++++-
 .../constraints/fedramp-external-constraints.xml            | 6 ++++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
index a82640925..6ea5b2f0d 100644
--- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -2510,7 +2510,9 @@ approved.</p>
           <p>Asset wasn't running at time of scan.</p>
         </remarks>
       </prop>
-      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="other">
+        <remarks>it is a brand new scan type</remarks>
+      </prop>
       <prop name='function' value="none">
         <remarks>
           <p>it has no function</p>
diff --git a/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml b/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml
index a4af0611d..2bc42b807 100644
--- a/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml
+++ b/src/validations/constraints/content/ssp-scan-type-has-remarks-INVALID.xml
@@ -1,6 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0">
-    <component uuid="11111111-0000-4000-9000-000000000001" type="software">
+    <metadata/>
+    <system-implementation>
+   <component uuid="11111111-0000-4000-9000-000000000001" type="software">
         <title>Example Component 1</title>
         <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="other"/>
     </component>
@@ -12,5 +14,7 @@
         <implemented-component component-uuid="11111111-0000-4000-9000-000000000001">
             <prop name="asset-id" value="unique-asset-ID-3"/>
         </implemented-component>
+        <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="not-applicable"/>
     </inventory-item>
+    </system-implementation> 
 </system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 1b61c1501..e1b8736a0 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -728,8 +728,10 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="fedramp_inventory_vendor_name"/>
                 <message>In a FedRAMP SSP, each inventory item MUST include the vendor name in the inventory item itself or within the linked component.</message>
             </expect>
-            <expect id="scan-type-has-remarks" target=". | //component[@uuid=./implemented-component/@component-uuid]" test="every $prop in prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other', 'not-applicable')] satisfies exists($prop/remarks)" level="ERROR">
-                <formal-name>Scan Type Has Remarks</formal-name>
+<expect id="scan-type-has-remarks" 
+        target="..//prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other'|'not-applicable')]" 
+        test="exists(remarks)" 
+        level="ERROR">                <formal-name>Scan Type Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>When scan-type is 'other' or 'not-applicable', remarks MUST be provided to explain the selection.</message>
             </expect>

From 1399f9c9f66645c07ddfb252a5efeb8f1fac2ea1 Mon Sep 17 00:00:00 2001
From: Mr Wand <paul.n.wand@gsa.gov>
Date: Fri, 3 Jan 2025 14:52:20 -0500
Subject: [PATCH 04/12] massage constraints

---
 .../ssp/xml/fedramp-ssp-example.oscal.xml     | 58 +++++++++----------
 ...inventory-item-has-asset-owner-INVALID.xml |  3 +-
 .../fedramp-external-constraints.xml          | 44 ++++----------
 3 files changed, 41 insertions(+), 64 deletions(-)

diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
index 6ea5b2f0d..710ba036c 100644
--- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -929,6 +929,7 @@ that represents the whole system.</p>
       <prop name="implementation-point" value="external"/>
       <prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="end-of-life-date" value="2025-12-31"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
         <remarks>
           <p>If 'yes', describe the authentication method.</p>
@@ -1651,7 +1652,9 @@ property.</p>
       </description>
       <prop name="implementation-point" value="internal"/>
       <prop name="public" value="yes"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <status state="operational"/>
+      
     </component>
     
     <!-- Virtual Appliance Component -->
@@ -1662,7 +1665,9 @@ property.</p>
         <p>Describe the virtual appliance and what it is used for.</p>
       </description>
       <prop name="implementation-point" value="internal"/>
+      <prop name='function' value='virtual'><remarks><p>virtual function</p></remarks></prop>
       <status state="operational"/>
+      
     </component>
     
     <!-- Hardware Component -->
@@ -1781,7 +1786,7 @@ compliance (e.g., Module in Process).</p>
       <prop name="model" value="stable-slim"/>
       <prop name="version" value="11"/>
       <prop name="patch-level" value="Patch Level"/>
-      <prop name="asset-id" value="unique-asset-ID-3"/>
+      <prop name="asset-id" value="unique-asset-ID-03"/>
       <link rel="validation" href="#11111111-2222-4000-8000-009000000002"/>
       <link href="https://hub.docker.com/layers/library/debian/stable/images/sha256-e83913597ca9deb9d699316a9a9d806c2a87ed61195ac66ae0a8ac55089a84b9"/>
       <status state="operational"/>
@@ -2368,11 +2373,10 @@ approved.</p>
           <p>If no, explain why. If yes, omit remark.</p>
         </remarks>
       </prop>
-      <prop name='function' value="none">
-        <remarks>
-          <p>it has no function</p>
-        </remarks>
+      <prop ns="http://fedramp.gov/ns/oscal" name="function" value="none">
+        <remarks><p>no function</p></remarks>
       </prop>
+
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <responsible-party role-id="asset-owner">
         <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
@@ -2401,9 +2405,10 @@ approved.</p>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
-            <prop name='function' value="none">
+
+      <prop name="function" value="Required brief, text-based description.">
         <remarks>
-          <p>it has no function</p>
+          <p>Required, longer, formatted description.</p>
         </remarks>
       </prop>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000000008"/>
@@ -2420,13 +2425,9 @@ approved.</p>
       <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a04:0404"/>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
-      <prop name='function' value="none">
-        <remarks>
-          <p>it has no function</p>
-        </remarks>
+      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="other">
+        <remarks><p>a different kind of scan</p></remarks>
       </prop>
-
       <implemented-component component-uuid="11111111-2222-4000-8000-009000500006"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000005">
@@ -2442,12 +2443,13 @@ approved.</p>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
-            <prop name='function' value="none">
+ 
+      <prop name="function" value="Required brief, text-based description.">
         <remarks>
-          <p>it has no function</p>
+          <p>Required, longer, formatted description.</p>
         </remarks>
       </prop>
-      <implemented-component component-uuid="11111111-2222-4000-8000-009000000011"/>
+     <implemented-component component-uuid="11111111-2222-4000-8000-009000000011"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000006">
       <description>
@@ -2460,18 +2462,18 @@ approved.</p>
       <prop name="virtual" value="no"/>
       <prop name="public" value="no"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="is-scanned" value="no">
         <remarks>
           <p>Asset wasn't running at time of scan.</p>
         </remarks>
       </prop>
-            <prop name='function' value="none">
+      <prop name="function" value="Required brief, text-based description.">
         <remarks>
-          <p>it has no function</p>
+          <p>Required, longer, formatted description.</p>
         </remarks>
       </prop>
 
+      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000500007"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000007">
@@ -2487,9 +2489,9 @@ approved.</p>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
-      <prop name='function' value="none">
+      <prop name="function" value="Required brief, text-based description.">
         <remarks>
-          <p>it has no function</p>
+          <p>Optional, longer, formatted description.</p>
         </remarks>
       </prop>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000000008"/>
@@ -2510,14 +2512,12 @@ approved.</p>
           <p>Asset wasn't running at time of scan.</p>
         </remarks>
       </prop>
-      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="other">
-        <remarks>it is a brand new scan type</remarks>
-      </prop>
-      <prop name='function' value="none">
+      <prop name="function" value="Required brief, text-based description.">
         <remarks>
-          <p>it has no function</p>
+          <p>Optional, longer, formatted description.</p>
         </remarks>
       </prop>
+      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000500005"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000009">
@@ -2533,11 +2533,7 @@ approved.</p>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
-      <prop name='function' value="email">
-        <remarks>
-          <p>it sends emails</p>
-        </remarks>
-      </prop>
+      <prop name='function' value='virtual'><remarks><p>virtual function</p></remarks></prop>
       <implemented-component component-uuid="11111111-2222-4000-8000-009000000018"/>
     </inventory-item>
   </system-implementation>
diff --git a/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml b/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
index fe940d32a..d5af980e8 100644
--- a/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
+++ b/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
@@ -3,7 +3,8 @@
                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                       xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
                       uuid="12345678-1234-4321-8765-123456789012">
-
+<metadata/>
+<import-profile href="https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml"></import-profile>
   <system-implementation>
     <inventory-item uuid="77777777-0000-4000-9000-000000000007">
       <prop name="virtual" value="unsupported-virtual"/>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index e1b8736a0..3ec02e119 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -671,49 +671,29 @@
     </context>
 
     <context>
-        <metapath target="//inventory-item"/>
-        <constraints>
-            <let var="high-sensitivity" expression="/system-characteristics/security-sensitivity-level='fips-199-high'"/>
-            <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | //component[@uuid=./implemented-component/@component-uuid]/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
-                <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>For HIGH-impact systems, every inventory-item MUST identify an asset-owner or administrator property either within the inventory-item itself, or within the component linked by the inventory-item.</message>
-            </expect>
-            <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | //component[@uuid=./implemented-component/@component-uuid]/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
-                <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="fedramp_inventory_asset_owner"/>
-                <message>For HIGH-impact systems, every inventory-item MUST identify an asset-owner or administrator property either within the inventory-item itself, or within the component linked by the inventory-item.</message>
-            </expect>
-
-        </constraints>
-
-    </context>
-
-
-    <context>
-        <metapath target="//(inventory-item | component)"/>
+        <metapath target="/system-security-plan/system-implementation/inventory-item"/>
         <constraints>
-        <let var="high-sensitivity" expression="/system-characteristics/security-sensitivity-level='fips-199-high'"/>
-        <let var="moderate-sensitivity" expression="/system-characteristics/security-sensitivity-level='fips-199-moderate'"/>
+            <let var="high-sensitivity" expression="../../system-characteristics/security-sensitivity-level='fips-199-high'"/>
+            <let var="moderate-sensitivity" expression="../../system-characteristics/security-sensitivity-level='fips-199-moderate'"/>
 
+            <let var ="component-uuid" expression="implemented-component/@component-uuid"/>
+            <let var ="implemented-component" expression="../component[@uuid=$component-uuid]"/>
             <expect id="authenticated-scan-no-has-remarks" target="prop[@name='allows-authenticated-scan' and @value='no']" test="if ($high-sensitivity or $moderate-sensitivity) then exists(remarks) else true()" level="ERROR">
                 <formal-name>Authenticated Scan No Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>FedRAMP requires CSPs to provide justification for any high or moderate impact system inventory item that does not support authenticated scans.</message>
             </expect>
-        </constraints>
-    </context>
-
-    <context>
-        <metapath target="/system-security-plan/system-implementation/inventory-item"/>
-        <constraints>
-            <let var ="component-uuid" expression="implemented-component/@component-uuid"/>
-            <expect id="inventory-item-has-function" target="." test="exists(prop[@name='function']/remarks) or exists(../component[@uuid=$component-uuid]/prop[@name='function']/remarks)" level="ERROR">
+             <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | //component[@uuid=./implemented-component/@component-uuid]/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
+                <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>For HIGH-impact systems, every inventory-item MUST identify an asset-owner or administrator property either within the inventory-item itself, or within the component linked by the inventory-item.</message>
+            </expect>
+            <expect id="inventory-item-has-function" target="." test="exists(prop[@name='function']/remarks) or exists($implemented-component/prop[@name='function']/remarks)" level="ERROR">
                 <formal-name>Inventory Item Has Function</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>Every inventory-item MUST describe the function provided by the item, either within the inventory-item itself, or within the component linked by the inventory-item.</message>
             </expect>
-            <expect id="inventory-item-has-scan-type" target="." test="count(prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=./implemented-component/@component-uuid]/prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
+            <expect id="inventory-item-has-scan-type" target="." test="count(prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count($implemented-component/prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
                 <formal-name>Inventory Item Has Scan Type</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>Every inventory-item MUST indicate one or more scan type(s), either within the inventory-item itself, or within the component linked by the inventory-item.</message>

From 968ac9bcc5f19fa015c9ab25d0807a8a3a32381c Mon Sep 17 00:00:00 2001
From: Mr Wand <paul.n.wand@gsa.gov>
Date: Fri, 3 Jan 2025 15:22:23 -0500
Subject: [PATCH 05/12] improve constraint content

---
 ...authenticated-scan-no-has-remarks-INVALID.xml |  6 +++---
 ...ct-inventory-item-has-asset-owner-INVALID.xml | 16 +++++++++++++---
 .../constraints/fedramp-external-constraints.xml |  2 +-
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/validations/constraints/content/ssp-authenticated-scan-no-has-remarks-INVALID.xml b/src/validations/constraints/content/ssp-authenticated-scan-no-has-remarks-INVALID.xml
index 2a39a9be9..7128ef723 100644
--- a/src/validations/constraints/content/ssp-authenticated-scan-no-has-remarks-INVALID.xml
+++ b/src/validations/constraints/content/ssp-authenticated-scan-no-has-remarks-INVALID.xml
@@ -4,6 +4,9 @@
                       xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
                       uuid="12345678-1234-4321-8765-123456789012">
   
+  <system-characteristics>
+      <security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
+</system-characteristics>
   <system-implementation>
     <inventory-item uuid="77777777-0000-4000-9000-000000000007">
       <description>
@@ -18,9 +21,6 @@
       <responsible-party role-id="asset-owner">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
       </responsible-party>
-      <implemented-component component-uuid="55555555-0000-4000-9000-000000000005">
-        <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
-      </implemented-component>
     </inventory-item>
   </system-implementation>
 
diff --git a/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml b/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
index d5af980e8..2beab9dab 100644
--- a/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
+++ b/src/validations/constraints/content/ssp-high-impact-inventory-item-has-asset-owner-INVALID.xml
@@ -3,11 +3,21 @@
                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                       xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
                       uuid="12345678-1234-4321-8765-123456789012">
-<metadata/>
-<import-profile href="https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml"></import-profile>
+  
+  <system-characteristics>
+      <security-sensitivity-level>fips-199-high</security-sensitivity-level>
+</system-characteristics>
   <system-implementation>
     <inventory-item uuid="77777777-0000-4000-9000-000000000007">
-      <prop name="virtual" value="unsupported-virtual"/>
+      <description>
+        <p>Primary database server</p>
+      </description>
+      <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
+      <prop name="asset-type" value="database"/>
+      <prop name="allows-authenticated-scan" value="no"/>
+      <prop name="public" value="no"/>
+      <prop name="virtual" value="yes"/>
+      <prop name="scan-type" value="database" ns="http://fedramp.gov/ns/oscal"/>
     </inventory-item>
   </system-implementation>
 
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 3ec02e119..562183b5d 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -683,7 +683,7 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>FedRAMP requires CSPs to provide justification for any high or moderate impact system inventory item that does not support authenticated scans.</message>
             </expect>
-             <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | //component[@uuid=./implemented-component/@component-uuid]/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
+             <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | $implemented-component/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
                 <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>For HIGH-impact systems, every inventory-item MUST identify an asset-owner or administrator property either within the inventory-item itself, or within the component linked by the inventory-item.</message>

From fb8a997825f9c254785b48db8707239d7feb9b3b Mon Sep 17 00:00:00 2001
From: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date: Mon, 6 Jan 2025 08:46:00 -0500
Subject: [PATCH 06/12] Update
 src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 .../constraints/fedramp-external-constraints.xml     | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 562183b5d..adf24b6a9 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -708,13 +708,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="fedramp_inventory_vendor_name"/>
                 <message>In a FedRAMP SSP, each inventory item MUST include the vendor name in the inventory item itself or within the linked component.</message>
             </expect>
-<expect id="scan-type-has-remarks" 
-        target="..//prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other'|'not-applicable')]" 
-        test="exists(remarks)" 
-        level="ERROR">                <formal-name>Scan Type Has Remarks</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>When scan-type is 'other' or 'not-applicable', remarks MUST be provided to explain the selection.</message>
-            </expect>
+<expect id="scan-type-has-remarks" target="..//prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other','not-applicable')]" test="exists(remarks)" level="ERROR">
+    <formal-name>Scan Type Has Remarks</formal-name>
+    <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+    <message>When scan-type is 'other' or 'not-applicable', remarks MUST be provided to explain the selection.</message>
+</expect>
         </constraints>
     </context>
 

From 1bc399dcb05ddcd7dd31e7b44dd9b9ef5ebc0201 Mon Sep 17 00:00:00 2001
From: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date: Mon, 6 Jan 2025 08:50:33 -0500
Subject: [PATCH 07/12] Update
 src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 src/validations/constraints/fedramp-external-constraints.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index e75a4df79..aafd87bda 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -691,7 +691,7 @@
             <expect id="inventory-item-has-function" target="." test="exists(prop[@name='function']/remarks) or exists($implemented-component/prop[@name='function']/remarks)" level="ERROR">
                 <formal-name>Inventory Item Has Function</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>Every inventory-item MUST describe the function provided by the item, either within the inventory-item itself, or within the component linked by the inventory-item.</message>
+                <message>Every inventory-item MUST provide remarks to describe the function of the item, either within the inventory-item itself, or within the component linked by the inventory-item.</message>
             </expect>
             <expect id="inventory-item-has-scan-type" target="." test="count(prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count($implemented-component/prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
                 <formal-name>Inventory Item Has Scan Type</formal-name>

From f7d52a83a654c518e813044ff91c5273b7afd6ba Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Mon, 6 Jan 2025 08:50:43 -0500
Subject: [PATCH 08/12] Update fedramp-external-constraints.xml

---
 src/validations/constraints/fedramp-external-constraints.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index adf24b6a9..e75a4df79 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -705,7 +705,7 @@
             </expect>
             <expect id="inventory-item-has-vendor-name" target="." test="count(prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
                 <formal-name>Inventory Item Has Vendor Name</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="fedramp_inventory_vendor_name"/>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item MUST include the vendor name in the inventory item itself or within the linked component.</message>
             </expect>
 <expect id="scan-type-has-remarks" target="..//prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other','not-applicable')]" test="exists(remarks)" level="ERROR">

From 1b1d68cbe6e91fa9918d407b545a9a8da3017b22 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Mon, 6 Jan 2025 08:52:51 -0500
Subject: [PATCH 09/12] Update fedramp-external-constraints.xml

---
 src/validations/constraints/fedramp-external-constraints.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index e75a4df79..b0669370c 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -576,7 +576,7 @@
         <constraints>
             <matches id="end-of-life-date-type" target="prop[@ns='http://fedramp.gov/ns/oscal' and @name='end-of-life-date']/@value" datatype="date" level="ERROR">
                 <formal-name>End of Life Date Type</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/"/>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>When the end-of-life-date property is present, it MUST be in date format.</message>
             </matches>
         </constraints>

From bb3e302a32d8327a00256624ad0c2575dea4b806 Mon Sep 17 00:00:00 2001
From: "~ . ~" <156969148+wandmagic@users.noreply.github.com>
Date: Wed, 8 Jan 2025 11:06:37 -0500
Subject: [PATCH 10/12] Squashed commit of the following:

commit d7b06235c1d8779c7a57fc68bf60f92859a30a1d
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Tue Jan 7 14:47:44 2025 -0500

    fix constraints (#1070)

commit fc50a42fe67741fa534a71e8b36600950c02a7fc
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Fri Jan 3 14:21:47 2025 -0500

    hotfix develop (#1064)
---
 .../constraints/fedramp-external-constraints.xml          | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 44e715927..a468b8655 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -66,7 +66,7 @@
             <let var="aggregate-parameters" expression="$resolved-profile//param[prop[@name='aggregates']]/@id"/>
             <let var="implemented-parameters-map" expression="map:merge(//set-parameter ! map:entry(@param-id,.))?*"/>          
             <let var="implemented-statements-map" expression="map:merge(//statement ! map:entry(@statement-id,.))?*"/>          
-            <let var="required-response-points-map" expression="map:merge($resolved-profile//part[(prop[@name='response-point'])] ! map:entry(@id,.))?*"/>          
+            <let var="required-response-points-map" expression="map:merge($resolved-profile//part[@name='statement' and (prop[@name='response-point'])] ! map:entry(@id,.))?*"/>          
             <index name="index-implemented-statements" target="$implemented-statements-map">
                 <formal-name>Statements implimented in SSP</formal-name>
                 <description>This index includes all statements defined in a FedRAMP SSP</description>
@@ -92,12 +92,12 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
                 <message>A FedRAMP SSP MUST have each component describing leveraged systems, interconnections, or authorized services identify a "provider" role that references one responsible party.</message>
             </expect>
-                        <index-has-key id='extraneous-implemented-requirements' target="//implemented-requirement" name="index-imported-controls" level="ERROR">
+                        <index-has-key id='extraneous-implemented-requirements' target="//implemented-requirement" name="index-imported-controls" level="WARNING">
                 <formal-name>Additional Controls Implemented Not in Baseline</formal-name>
-                <description>A FedRAMP SSP MUST NOT include extraneous controls outside of the FedRAMP baseline.</description>
+                <description>A FedRAMP SSP SHOULD NOT include extraneous controls outside of the FedRAMP baseline.</description>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#implementation-status"/>
                 <key-field target="@control-id"/>
-                <message>A FedRAMP SSP MUST NOT include extraneous controls outside of the FedRAMP baseline. Extraneous control: ({@control-id}).</message>
+                <message>A FedRAMP SSP SHOULD NOT include extraneous controls outside of the FedRAMP baseline. Extraneous control: ({@control-id}).</message>
             </index-has-key>
 
             <index name="index-implemented-parameters" target="$implemented-parameters-map">

From 0defc6874467def739678811f982ef4ef0d31159 Mon Sep 17 00:00:00 2001
From: "~ . ~" <156969148+wandmagic@users.noreply.github.com>
Date: Wed, 8 Jan 2025 15:56:46 -0500
Subject: [PATCH 11/12] Squashed commit of the following:

commit 18a02c93b47d11c623730fe458feaeae6a2101e4
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Wed Jan 8 09:37:15 2025 -0500

    Hotfix styles (#1076)

    * style guide hotfix

    * Update fedramp-external-constraints.xml

commit 60b3c5077782c17e0decb20863e5468e7b8b0888
Author: DimitriZhurkin <dimitri.zhurkin@noblis.org>
Date:   Wed Jan 8 07:14:14 2025 -0700

    Add the inter-boundary-component-has-information-type constraint (#1066)

    * Add the inter-boundary-component-has-information-type constraint

    * clean up ssp-inter-boundary-component-has-information-type-INVALID.xml

commit d7b06235c1d8779c7a57fc68bf60f92859a30a1d
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Tue Jan 7 14:47:44 2025 -0500

    fix constraints (#1070)

commit fc50a42fe67741fa534a71e8b36600950c02a7fc
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Fri Jan 3 14:21:47 2025 -0500

    hotfix develop (#1064)
---
 features/fedramp_extensions.feature           |  3 ++
 features/steps/fedramp_extensions_steps.ts    | 30 ++++++++-----
 .../ssp/xml/fedramp-ssp-example.oscal.xml     | 12 ++++++
 ...component-has-information-type-INVALID.xml | 36 ++++++++++++++++
 .../fedramp-external-constraints.xml          | 43 ++++++++-----------
 ...y-component-has-information-type-FAIL.yaml |  8 ++++
 ...y-component-has-information-type-PASS.yaml |  8 ++++
 7 files changed, 105 insertions(+), 35 deletions(-)
 create mode 100644 src/validations/constraints/content/ssp-inter-boundary-component-has-information-type-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/inter-boundary-component-has-information-type-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/inter-boundary-component-has-information-type-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 38fd678af..7aced5bef 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -119,6 +119,7 @@ Examples:
   | information-type-has-confidentiality-impact |
   | information-type-has-integrity-impact |
   | information-type-system |
+  | inter-boundary-component-has-information-type |
   | interconnection-direction |
   | interconnection-security |
   | inventory-item-allows-authenticated-scan |
@@ -377,6 +378,8 @@ Examples:
   | information-type-id-PASS.yaml |
   | information-type-system-FAIL.yaml |
   | information-type-system-PASS.yaml |
+  | inter-boundary-component-has-information-type-FAIL.yaml |
+  | inter-boundary-component-has-information-type-PASS.yaml |
   | interconnection-direction-FAIL.yaml |
   | interconnection-direction-PASS.yaml |
   | interconnection-security-FAIL.yaml |
diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts
index 44b2435df..601f7b8af 100644
--- a/features/steps/fedramp_extensions_steps.ts
+++ b/features/steps/fedramp_extensions_steps.ts
@@ -1,23 +1,22 @@
-import { BeforeAll, BeforeStep, Given, Then, When, setDefaultTimeout, world } from "@cucumber/cucumber";
+import { BeforeAll, Given, Then, When, setDefaultTimeout } from "@cucumber/cucumber";
 import { expect } from "chai";
 import {
+  existsSync,
+  mkdirSync,
   readFileSync,
   readdirSync,
   unlinkSync,
   writeFileSync,
-  mkdirSync,
-  existsSync,
 } from "fs";
 import { load } from "js-yaml";
-import { executeOscalCliCommand, resolveProfile, resolveProfileDocument, validateDocument} from "oscal";
-import {checkServerStatus} from 'oscal/dist/server.js'
-import { dirname, join,parse, resolve } from "path";
-import { Exception, Log, Result } from "sarif";
+import { JSDOM } from 'jsdom';
+import { executeOscalCliCommand, formatSarifOutput, resolveProfileDocument, validateDocument } from "oscal";
+import { checkServerStatus } from 'oscal/dist/server.js';
+import { dirname, join, parse, resolve } from "path";
+import { Log } from "sarif";
 import { fileURLToPath } from "url";
-import { parseString } from "xml2js";
-import {JSDOM} from 'jsdom'
 import { promisify } from "util";
-import {formatSarifOutput} from 'oscal'
+import { parseString } from "xml2js";
 let executor: 'oscal-cli'|'oscal-server' = process.env.OSCAL_EXECUTOR as 'oscal-cli'|'oscal-server' || 'oscal-cli'
 const quiet = process.env.OSCAL_TEST_QUIET === 'true'
 
@@ -686,6 +685,7 @@ Then('I should have valid results {string}', async function (fileToValidate) {
 
 Then('I should verify that all constraints follow the style guide constraint', async function () {
   const baseDir = join(__dirname, '..', '..');
+  const styleGuidePath = join(baseDir, 'src', 'validations', 'styleguides', 'fedramp-constraint-style.xml');
   const constraintDir = join(baseDir, 'src', 'validations', 'constraints');
   const constraintFiles = readdirSync(constraintDir).filter(file => 
     file.startsWith('fedramp') && file.endsWith('.xml')
@@ -701,7 +701,15 @@ Then('I should verify that all constraints follow the style guide constraint', a
       const fileContent = readFileSync(filePath, 'utf8');
       const dom = new JSDOM(fileContent, { contentType: 'text/xml' });
       const document = dom.window.document;
-
+      const {isValid,log} = await validateDocument(filePath,{flags:['disable-schema'],quiet,extensions:[styleGuidePath],module:"http://csrc.nist.gov/ns/oscal/metaschema/1.0"},executor)
+      writeFileSync(
+        join(
+          __dirname,
+          "../../sarif/",
+          fileName.split(".xml").join("").toString()+".sarif"
+        ),JSON.stringify(log, null,"\t"))  
+      const formattedErrors = (formatSarifOutput(log));
+      formattedErrors&&errors.push(formattedErrors)
       // Process each 'constraints' block separately
       document.querySelectorAll('constraints').forEach(constraintsNode => {
         // Get direct child elements with IDs within this constraints block
diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
index 710ba036c..769cc3a18 100644
--- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -1200,6 +1200,10 @@ leveraged-authorization assembly:</p>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/>
+
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="outgoing" value="C.3.5.8"/>
+
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="asset-type" value="saas"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
@@ -1841,6 +1845,10 @@ compliance (e.g., Module in Process).</p>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/>
+
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="outgoing" value="C.3.5.8"/>
+
       <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
         <remarks>
           <p>If 'yes', describe the authentication method.</p>
@@ -2264,6 +2272,10 @@ approved.</p>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/>
+
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="outgoing" value="C.3.5.8"/>
+
       <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
         <remarks>
           <p>If 'yes', describe the authentication method.</p>
diff --git a/src/validations/constraints/content/ssp-inter-boundary-component-has-information-type-INVALID.xml b/src/validations/constraints/content/ssp-inter-boundary-component-has-information-type-INVALID.xml
new file mode 100644
index 000000000..5b248eef3
--- /dev/null
+++ b/src/validations/constraints/content/ssp-inter-boundary-component-has-information-type-INVALID.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-model href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.3/oscal_ssp_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="df903c4c-6bb5-4b78-8a71-c5baa06a9f2e">
+   <system-implementation>
+      <component uuid="67ecaba6-e5be-4c92-9731-e55825689e8f" type="service">
+         <title>Service B</title>
+         <description>
+            <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
+            <p>Describe the service and what it is used for.</p>
+         </description>
+         <prop name="implementation-point" value="external"/>
+         <prop name="connection-security" value="non-fedramp-value" ns="https://fedramp.gov/ns/oscal"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="provider" value="self"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+            <remarks>
+               <p>If 'yes', describe the authentication method.</p>
+               <p>If 'no', explain why no authentication is used.</p>
+               <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+            </remarks>
+         </prop>
+         <prop name="poam-item-uuid" ns="https://fedramp.gov/ns/oscal" value="11111111-3333-4000-8000-000000000001"/>
+         <prop name="poam-id" ns="https://fedramp.gov/ns/oscal" value="ID-0001"/>
+         <link rel="provided-by" href="#11111111-2222-4000-8000-009000100001"/>
+         <status state="operational"/>
+         <responsible-role role-id="admin">
+         </responsible-role>
+         <responsible-role role-id="provider">
+            <party-uuid>33333333-2222-4000-8000-004000000001</party-uuid>
+         </responsible-role>
+         <remarks>
+            <p>Each non-authorized leveraged service must be expressed as a "service" component.</p>
+         </remarks>
+      </component>
+   </system-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index a468b8655..856cad3df 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -585,7 +585,7 @@
     <context>
         <metapath target="/system-security-plan/system-implementation"/>
         <constraints>
-            <let var="inter-boundary-component" expression="component[(@type=('service','software') and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type=('service', 'software') and prop[@name='implementation-point' and @value='internal'] and (prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']))]"/>
+            <let var="inter-boundary-component" expression="component[(@type=('service','software') and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type=('service','software') and prop[@name='implementation-point' and @value='internal'] and (prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']))]"/>
             <expect id="authentication-method-has-remarks" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal'])  = count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal']/remarks)" level="ERROR">
                 <formal-name>Authentication Method Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
@@ -603,7 +603,7 @@
             </expect>
             <expect id="image-has-checksum" target="//component[@type='software' and ./prop[@name='asset-type' and @value='image']]" test="count(./prop[@name='checksum' and @ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR">
                 <formal-name>Container Image Has Checksum Property</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="insert-help-url-here"/>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, a component that describes a container or operating system image MUST define a checksum property.</message>
             </expect>
             <expect id="information-type-has-class" target="component/prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']" test="exists(@class)" level="ERROR">
@@ -611,11 +611,21 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>In a FedRAMP SSP, each information type property in a component MUST categorize the class of data flow as incoming to the system, outgoing from the system, or both.</message>
             </expect>
+            <expect id="inter-boundary-component-has-information-type" target="$inter-boundary-component" test="count(prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']) &gt;= 1" level="ERROR">
+                <formal-name>Inter-Boundary Component Has Information Type</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
+                <message>An inter-boundary communication component {@uuid} ({path(.)}) MUST have at least one information-type property.</message>
+            </expect>
             <expect id="inventory-item-and-component-has-public" target="(inventory-item | component[@type='service' and prop[@name='implementation-point' and @value='internal']])" test="count(prop[@name='public']) = 1" level="ERROR">
                 <formal-name>Inventory Item and Component Has Public</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item and internal service component MUST state if they are public-facing.</message>
             </expect>
+            <expect id="inventory-item-or-component-has-asset-id" target="(inventory-item)| (component[@type='software' and prop[@name='asset-type' and @value='image']])" test="count(prop[@name='asset-id']) = 1" level="ERROR">
+                <formal-name>Inventory Item or Component Has Asset ID</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item and software image component MUST include the asset ID.</message>
+            </expect>
             <expect id="leveraged-authorization-has-authorization-type" target="leveraged-authorization" test="count(prop[@name='authorization-type'][@ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR">
                 <formal-name>Leveraged Authorization Has Authorization Type</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
@@ -659,16 +669,6 @@
         </constraints>
     </context>
 
-    <context>
-        <metapath target="/system-security-plan/system-implementation"/>
-        <constraints>
-            <expect id="inventory-item-or-component-has-asset-id" target="(inventory-item)| (component[@type='software' and prop[@name='asset-type' and @value='image']])" test="count(prop[@name='asset-id']) = 1" level="ERROR">
-                <formal-name>Inventory Item or Component Has Asset ID</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>In a FedRAMP SSP, each inventory item and software image component MUST include the asset ID.</message>
-            </expect>
-        </constraints>
-    </context>
 
     <context>
         <metapath target="/system-security-plan/system-implementation/inventory-item"/>
@@ -681,7 +681,7 @@
             <expect id="authenticated-scan-no-has-remarks" target="prop[@name='allows-authenticated-scan' and @value='no']" test="if ($high-sensitivity or $moderate-sensitivity) then exists(remarks) else true()" level="ERROR">
                 <formal-name>Authenticated Scan No Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>FedRAMP requires CSPs to provide justification for any high or moderate impact system inventory item that does not support authenticated scans.</message>
+                <message>A FedRAMP SSP MUST provide justification for any high or moderate impact system inventory item that does not support authenticated scans.</message>
             </expect>
              <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | $implemented-component/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
                 <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
@@ -796,6 +796,7 @@
             'sc-1_smt.a' : 'at least one procedure that addresses System and Communications Protection MUST be associated with SC-1 part a.',
             'si-1_smt.a' : 'at least one procedure that addresses System and Information Integrity MUST be associated with SI-1 part a.',
             'sr-1_smt.a' : 'at least one procedure that addresses Supply Chain Risk Management MUST be associated with SR-1 part a.'}"/>
+            <let var="component-uuid" expression="by-component/@component-uuid"/>
             <expect id="has-policy" target=".[@statement-id=$control-statement-ids]" test="some $uuid in $component-uuid satisfies count(../../../system-implementation/component[@uuid=$component-uuid and @type='policy']) >= 1" level="ERROR">
                 <formal-name>Has Policy</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#organization-policy-and-procedure-statements"/>
@@ -806,6 +807,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#organization-policy-and-procedure-statements"/>
                 <message>In a FedRAMP SSP, {$procedure-messages(./@statement-id)}</message>
             </expect>
+            <expect id="statement-has-this-system-component" target="." test="count(../../../system-implementation/component[@type='this-system' and @uuid=$component-uuid]) = 1" level="ERROR">
+                <formal-name>Statement Has This System Component</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-this-system-component"/>
+                <message>In a FedRAMP SSP, each control implementation statement MUST have one "this-system" by-component.</message>
+            </expect>
         </constraints>
     </context>
 
@@ -825,17 +831,6 @@
         </constraints>
     </context>
 
-    <context>
-        <metapath target="/system-security-plan/control-implementation/implemented-requirement/statement"/>
-        <constraints>
-            <let var="component-uuid" expression="by-component/@component-uuid"/>
-            <expect id="statement-has-this-system-component" target="." test="count(../../../system-implementation/component[@type='this-system' and @uuid=$component-uuid]) = 1" level="ERROR">
-                <formal-name>Statement Has This System Component</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-this-system-component"/>
-                <message>In a FedRAMP SSP, each control implementation statement MUST have one "this-system" by-component.</message>
-            </expect>
-        </constraints>
-    </context>
 
     <context>
         <metapath target="/system-security-plan/system-characteristics/authorization-boundary/diagram/link"/>
diff --git a/src/validations/constraints/unit-tests/inter-boundary-component-has-information-type-FAIL.yaml b/src/validations/constraints/unit-tests/inter-boundary-component-has-information-type-FAIL.yaml
new file mode 100644
index 000000000..e148e6f8d
--- /dev/null
+++ b/src/validations/constraints/unit-tests/inter-boundary-component-has-information-type-FAIL.yaml
@@ -0,0 +1,8 @@
+# Driver for the invalid inter-boundary-component-has-information-type constraint unit test.
+test-case:
+  name: The invalid inter-boundary-component-has-information-type constraint unit test.
+  description: Test that the FedRAMP SSP inter-boundary communication component does not have the "information-type" property.
+  content: ../content/ssp-inter-boundary-component-has-information-type-INVALID.xml
+  expectations:
+  - constraint-id: inter-boundary-component-has-information-type
+    result: fail
\ No newline at end of file
diff --git a/src/validations/constraints/unit-tests/inter-boundary-component-has-information-type-PASS.yaml b/src/validations/constraints/unit-tests/inter-boundary-component-has-information-type-PASS.yaml
new file mode 100644
index 000000000..6bb761964
--- /dev/null
+++ b/src/validations/constraints/unit-tests/inter-boundary-component-has-information-type-PASS.yaml
@@ -0,0 +1,8 @@
+# Driver for the valid inter-boundary-component-has-information-type constraint unit test.
+test-case:
+  name: The valid inter-boundary-component-has-information-type constraint unit test.
+  description: Test that the FedRAMP SSP inter-boundary communication component has at least one "information-type" property.
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+  - constraint-id: inter-boundary-component-has-information-type
+    result: pass
\ No newline at end of file

From 372a8f3b74b83f3671a74d4951b9e1d3981ed3a2 Mon Sep 17 00:00:00 2001
From: "~ . ~" <156969148+wandmagic@users.noreply.github.com>
Date: Thu, 9 Jan 2025 14:54:24 -0500
Subject: [PATCH 12/12] Squashed commit of the following:

commit 8c1a343b60cc162ab325b9a9ee75aab9cca01bfd
Author: Gabeblis <gabriel.rodriguez@gsa.gov>
Date:   Thu Jan 9 11:45:37 2025 -0500

    Add new metapath target to 'security-level' constraint (#1079)

commit 608080ddc3697c5de8fdf0488b221146aeadd678
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Thu Jan 9 09:29:17 2025 -0500

    add additional sample content (#1081)

commit 1f55a73df1df93e8e33f5e2d3509a613adf823c3
Author: Gabeblis <gabriel.rodriguez@gsa.gov>
Date:   Thu Jan 9 09:22:28 2025 -0500

    Correct constraint message. (#1085)

commit 18a02c93b47d11c623730fe458feaeae6a2101e4
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Wed Jan 8 09:37:15 2025 -0500

    Hotfix styles (#1076)

    * style guide hotfix

    * Update fedramp-external-constraints.xml

commit 60b3c5077782c17e0decb20863e5468e7b8b0888
Author: DimitriZhurkin <dimitri.zhurkin@noblis.org>
Date:   Wed Jan 8 07:14:14 2025 -0700

    Add the inter-boundary-component-has-information-type constraint (#1066)

    * Add the inter-boundary-component-has-information-type constraint

    * clean up ssp-inter-boundary-component-has-information-type-INVALID.xml

commit d7b06235c1d8779c7a57fc68bf60f92859a30a1d
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Tue Jan 7 14:47:44 2025 -0500

    fix constraints (#1070)

commit fc50a42fe67741fa534a71e8b36600950c02a7fc
Author: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date:   Fri Jan 3 14:21:47 2025 -0500

    hotfix develop (#1064)
---
 .../ssp/xml/fedramp-ssp-example.oscal.xml     |  48 +++++--
 .../content/resolved-example-profile.xml      |  33 +++++
 ...ssp-has-required-response-points-VALID.xml | 118 ++++++++++++++++++
 .../content/ssp-security-level-INVALID.xml    |   9 ++
 .../fedramp-external-allowed-values.xml       |   5 +-
 .../fedramp-external-constraints.xml          |   4 +-
 .../has-required-response-points-PASS.yaml    |   4 +-
 7 files changed, 209 insertions(+), 12 deletions(-)
 create mode 100644 src/validations/constraints/content/resolved-example-profile.xml
 create mode 100644 src/validations/constraints/content/ssp-has-required-response-points-VALID.xml

diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
index 769cc3a18..171d69de9 100644
--- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -2577,8 +2577,9 @@ SSP authors must add implmentations for all required controls.
         <value>at least every 3 years</value>
       </set-parameter><set-parameter param-id="ac-01_odp.07">
         <value>at least annually</value>
-      </set-parameter><statement statement-id="ac-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000001">
-        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000001">
+      </set-parameter>
+      <statement statement-id="ac-1_smt" uuid="11111117-2222-4000-8000-013000000001">
+<by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000001">
           <description>
             <p>Describe how Part a is satisfied within the system.</p>
             <p>Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.</p>
@@ -2608,6 +2609,37 @@ SSP authors must add implmentations for all required controls.
                     </responsible-role>
         </by-component>
       </statement>
+      <statement statement-id="ac-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000001">
+        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8880-014000000001">
+          <description>
+            <p>Describe how Part a is satisfied within the system.</p>
+            <p>Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.</p>
+            <p>In this case, a link must be provided to the policy.</p>
+            <p>FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.</p>
+          </description>
+          <link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
+          <link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
+          <implementation-status state="operational"/>
+                    <responsible-role role-id="system-admin">
+                        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+                    </responsible-role>
+          <remarks>
+            <p>The specified component is the system itself.</p>
+            <p>Any control implementation response that can not be associated with another component is associated with the component representing the system.</p>
+          </remarks>
+        </by-component>
+        <by-component component-uuid="11111111-2222-4000-8000-009000000012" uuid="11111111-2222-4000-8000-014000000012">
+          <description>
+            <p>Describe how this policy component satisfies part a.</p>
+            <p>Component approach. This links to a component representing the Identity Management and Access Control Policy.</p>
+            <p>That component contains a link to the policy, so it does not have to be linked here too.</p>
+          </description>
+          <implementation-status state="operational"/>
+                    <responsible-role role-id="system-admin">
+                        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+                    </responsible-role>
+        </by-component>
+      </statement>
       <statement statement-id="ac-1_smt.a.2" uuid="11111111-2222-4000-8000-013000000002">
         <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000003">
           <description>
@@ -2841,7 +2873,7 @@ SSP authors must add implmentations for all required controls.
                     </responsible-role>
         </by-component>
       </statement><statement statement-id="at-1_smt.a" uuid="11111111-2222-4000-8000-013000000008">
-        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000012">
+        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000017">
           <description>
             <p>Describe how Part a is satisfied.</p>
           </description>
@@ -2911,7 +2943,7 @@ SSP authors must add implmentations for all required controls.
       </set-parameter><responsible-role role-id="information-system-security-officer">
         <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
       </responsible-role><statement statement-id="au-1_smt" uuid="11111111-2222-4000-8000-013000000011">
-        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000017">
+        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8800-004000000017">
           <description>
             <p>Describe how the control is satisfied within the system.</p>
           </description>
@@ -3811,7 +3843,7 @@ SSP authors must add implmentations for all required controls.
         <value>All employees, contractors, and third-party vendors who handle sensitive information or have access to organizational media.</value>
       </set-parameter><responsible-role role-id="information-system-security-officer">
         <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
-      </responsible-role><statement statement-id="_smt" uuid="11111111-2222-4000-8000-013000000039">
+      </responsible-role><statement statement-id="mp-1_smt" uuid="11111111-2222-4000-8000-013000000039">
         <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000059">
           <description>
             <p>Describe how the control is satisfied within the system.</p>
@@ -3826,7 +3858,9 @@ SSP authors must add implmentations for all required controls.
                         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
                     </responsible-role>
         </by-component>
-      </statement><statement statement-id="mp-1_smt.a" uuid="11111111-2222-4000-8000-013000000040">
+      </statement>
+      
+      <statement statement-id="mp-1_smt.a" uuid="11111111-2222-4000-8000-013000000040">
         <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000060">
           <description>
             <p>For the portion of the control satisfied by the service provider, describe <strong>how</strong> the control is met.</p>
@@ -3896,7 +3930,7 @@ SSP authors must add implmentations for all required controls.
         <value>All personnel with access to company facilities or systems, including employees, contractors, and third-party vendors.</value>
       </set-parameter><responsible-role role-id="information-system-security-officer">
         <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
-      </responsible-role><statement statement-id="_smt" uuid="11111111-2222-4000-8000-013000000043">
+      </responsible-role><statement statement-id="pe-1_smt" uuid="11111111-2222-4000-8000-013000000043">
         <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000065">
           <description>
             <p>Describe how the control is satisfied within the system.</p>
diff --git a/src/validations/constraints/content/resolved-example-profile.xml b/src/validations/constraints/content/resolved-example-profile.xml
new file mode 100644
index 000000000..ce2dd5bc1
--- /dev/null
+++ b/src/validations/constraints/content/resolved-example-profile.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="2a1553a7-2ae5-4669-a260-7c6fe6215170">
+    <metadata>
+        <title>Sample</title>
+        <last-modified>2025-01-08T00:00:00Z</last-modified>
+        <version>1.0</version>
+        <oscal-version>1.1.3</oscal-version>
+    </metadata>
+    <control id="sample-1">
+        <title>Sample 1</title>
+        <part name="statement" id="sample-1_smt">
+            <part name="item" id="sample-1_smt.a">
+                <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point." />
+                <p>Should be INCLUDED (sample-1_smt.a)</p>
+                <part name="item" id="sample-1_smt.a.1">
+                    <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point." />
+                    <p>Should be INCLUDED (sample-1_smt.a.1)</p>
+                </part>
+            </part>
+        </part>
+
+        <part id="sample-1_obj" name="assessment-objective">
+            <part id="sample-1_obj.a" name="assessment-objective">
+                <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
+                <p>this should be EXCLUDED (sample-1_obj.a)</p>
+                <part id="sample-1_obj.a-1" name="assessment-objective">
+                    <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
+                    <p>this should be EXCLUDED (sample-1_obj.a-1)</p>
+                </part>
+            </part>
+        </part>
+    </control>
+</catalog>
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-has-required-response-points-VALID.xml b/src/validations/constraints/content/ssp-has-required-response-points-VALID.xml
new file mode 100644
index 000000000..c32acfbf1
--- /dev/null
+++ b/src/validations/constraints/content/ssp-has-required-response-points-VALID.xml
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-model href="https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.4/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+<metadata></metadata>
+     <import-profile href="resolved-example-profile.xml"/>
+     <control-implementation>
+     <description></description>
+         <implemented-requirement uuid="11111111-2222-4000-8000-012000000001" control-id="unsupported-id">
+            <prop name="control-origination" ns="http://fedramp.gov/ns/oscal" value="sp-system"/>
+            <link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
+            <link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
+            <set-parameter param-id="ac-1_prm_1">
+                <value>organization-defined personnel or roles</value>
+            </set-parameter>
+                        <set-parameter param-id="mp-2_prm_2">
+                <value>Chief Information Security Officer, Information System Security Officers, and System Administrators</value>
+            </set-parameter>
+                        <statement statement-id="sample-1_smt" uuid="11111111-2222-4000-8000-013000000008">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000003">
+                    <description>
+                        <p>There</p>
+                    </description>
+                    <prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z"/>
+                    <implementation-status state="partial">
+                        <remarks>
+                            <p>Describe the plan to complete the implementation.</p>
+                        </remarks>
+                    </implementation-status>
+                </by-component>
+                <by-component component-uuid="11111111-2222-4000-8000-009000000013" uuid="11111111-2222-4000-8000-014000000004">
+                    <description>
+                        <p>Describe how this policy currently satisfies part a.</p>
+                    </description>
+                    <prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z">
+                        <remarks>
+                            <p>Describe the plan for addressing the missing policy elements.</p>
+                        </remarks>
+                    </prop>
+                    <implementation-status state="partial">
+                        <remarks>
+                            <p>Identify what is currently missing from this policy.</p>
+                        </remarks>
+                    </implementation-status>
+                </by-component>
+            </statement>
+            <statement statement-id="ac-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000001">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000001">
+                    <description>
+                        <p>Describe how Part a is satisfied within the system.</p>
+                        <p>Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.</p>
+                        <p>In this case, a link must be provided to the policy.</p>
+                        <p>FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.</p>
+                    </description>
+                    <link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
+                    <link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
+                    <implementation-status state="operational"/>
+                    <remarks>
+                        <p>The specified component is the system itself.</p>
+                        <p>Any control implementation response that can not be associated with another component is associated with the component representing the system.</p>
+                    </remarks>
+                </by-component>
+                <by-component component-uuid="11111111-2222-4000-8000-009000000012" uuid="11111111-2222-4000-8000-014000000002">
+                    <description>
+                        <p>Describe how this policy component satisfies part a.</p>
+                        <p>Component approach. This links to a component representing the Identity Management and Access Control Policy.</p>
+                        <p>That component contains a link to the policy, so it does not have to be linked here too.</p>
+                    </description>
+                    <implementation-status state="operational"/>
+                </by-component>
+            </statement>
+            <statement statement-id="sample-1_smt.a" uuid="11111111-2222-4000-8000-013000000002">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000003">
+                    <description>
+                        <p>There</p>
+                    </description>
+                    <prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z"/>
+                    <implementation-status state="partial">
+                        <remarks>
+                            <p>Describe the plan to complete the implementation.</p>
+                        </remarks>
+                    </implementation-status>
+                </by-component>
+                <by-component component-uuid="11111111-2222-4000-8000-009000000013" uuid="11111111-2222-4000-8000-014000000004">
+                    <description>
+                        <p>Describe how this policy currently satisfies part a.</p>
+                    </description>
+                    <prop name="planned-completion-date" ns="http://fedramp.gov/ns/oscal" value="2024-01-31Z">
+                        <remarks>
+                            <p>Describe the plan for addressing the missing policy elements.</p>
+                        </remarks>
+                    </prop>
+                    <implementation-status state="partial">
+                        <remarks>
+                            <p>Identify what is currently missing from this policy.</p>
+                        </remarks>
+                    </implementation-status>
+                </by-component>
+            </statement>
+
+            <statement statement-id="sample-1_smt.a.1" uuid="11111111-2222-4000-8000-013000000003">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000005">
+                    <description>
+                        <p>Describe how Part b-1 is satisfied.</p>
+                    </description>
+                    <implementation-status state="operational"/>
+                </by-component>
+            </statement>
+            <statement statement-id="ac-1_smt.b.2" uuid="11111111-2222-4000-8000-013000000004">
+                <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-014000000006">
+                    <description>
+                        <p>Describe how Part b-2 is satisfied.</p>
+                    </description>
+                    <implementation-status state="operational"/>
+                </by-component>
+            </statement>
+        </implemented-requirement>
+    </control-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-security-level-INVALID.xml b/src/validations/constraints/content/ssp-security-level-INVALID.xml
index 33d9cdaef..fa4f426b4 100644
--- a/src/validations/constraints/content/ssp-security-level-INVALID.xml
+++ b/src/validations/constraints/content/ssp-security-level-INVALID.xml
@@ -24,4 +24,13 @@
       <security-objective-availability>INVALID-fips-199-moderate</security-objective-availability>
     </security-impact-level>
   </system-characteristics>
+  <system-implementation>
+    <leveraged-authorization uuid="11111111-2222-4000-8000-019000000001">
+      <prop ns="http://fedramp.gov/ns/oscal" name="impact-level" value="INVALID-fips-199-moderate">
+        <remarks>
+          <p>For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records based on the "leveraged-system-identifier" property's value.</p>
+        </remarks>
+      </prop>
+    </leveraged-authorization>
+  </system-implementation>
 </system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml
index 592df480c..4e2013a05 100644
--- a/src/validations/constraints/fedramp-external-allowed-values.xml
+++ b/src/validations/constraints/fedramp-external-allowed-values.xml
@@ -647,9 +647,10 @@
         <metapath target="/system-security-plan/system-characteristics/security-sensitivity-level"/>
         <metapath target="/system-security-plan/system-characteristics/security-impact-level/(security-objective-confidentiality|security-objective-integrity|security-objective-availability)"/>
         <metapath target="/system-security-plan/system-characteristics/system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)"/>
+        <metapath target="/system-security-plan/system-implementation/leveraged-authorization"/>
         <constraints>
-
-            <allowed-values id="security-level" target="." allow-other="no" level="ERROR">
+            <let var="security-level-target" expression="if (prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']) then prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']/@value else ."/>
+            <allowed-values id="security-level" target="$security-level-target" allow-other="no" level="ERROR">
                 <formal-name>Security Impact Level</formal-name>
                 <description>The security objective level as defined by <a href="https://doi.org/10.6028/NIST.SP.800-60v1r1">NIST SP 800-60</a>.
                 </description>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 856cad3df..af1baef6b 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -66,7 +66,7 @@
             <let var="aggregate-parameters" expression="$resolved-profile//param[prop[@name='aggregates']]/@id"/>
             <let var="implemented-parameters-map" expression="map:merge(//set-parameter ! map:entry(@param-id,.))?*"/>          
             <let var="implemented-statements-map" expression="map:merge(//statement ! map:entry(@statement-id,.))?*"/>          
-            <let var="required-response-points-map" expression="map:merge($resolved-profile//part[@name='statement' and (prop[@name='response-point'])] ! map:entry(@id,.))?*"/>          
+            <let var="required-response-points-map" expression="map:merge($resolved-profile//part[@name='statement' and (.//prop[@name='response-point'])] ! map:entry(@id,.))?*"/>          
             <index name="index-implemented-statements" target="$implemented-statements-map">
                 <formal-name>Statements implimented in SSP</formal-name>
                 <description>This index includes all statements defined in a FedRAMP SSP</description>
@@ -151,7 +151,7 @@
             <expect id="leveraged-authorization-has-valid-impact-level" target="//leveraged-authorization/prop[@name='impact-level'][@ns='http://fedramp.gov/ns/oscal']/@value" test=". = $sensitivity-level-floor" level="ERROR">
                 <formal-name>Leveraged Authorization Has Valid Impact Level</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
-                <message>A FedRAMP SSP MUST define the appropriate FIPS-199 impact level (low, moderate, or high) for each leveraged authorization.</message>
+                <message>The FIPS-199 impact level of the leveraged system MUST be the same or higher than the impact level of this system.</message>
             </expect>
             <expect id="non-provider-responsible-role-references-user" target="." test="$non-provider-user-has-function-performed" level="ERROR">
                 <formal-name>Non-Provider Responsible Role References User</formal-name>
diff --git a/src/validations/constraints/unit-tests/has-required-response-points-PASS.yaml b/src/validations/constraints/unit-tests/has-required-response-points-PASS.yaml
index 719e673d1..0f80b159d 100644
--- a/src/validations/constraints/unit-tests/has-required-response-points-PASS.yaml
+++ b/src/validations/constraints/unit-tests/has-required-response-points-PASS.yaml
@@ -3,7 +3,9 @@ test-case:
   description: >-
     This test case validates the behavior of constraint
     has-required-response-points
-  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  content: 
+    - ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+    - ../content/ssp-has-required-response-points-VALID.xml
   expectations:
     - constraint-id: has-required-response-points
       result: pass