Check Role Mappings

[ohsh6o]

Extended Description

As a FedRAMP approver, in order to verify a submission fulfills their control obligations, I would like to check the role mappings for each implemented requirement of a control is included in the user table.

For the convential Word-based template, CSP authors and FedRAMP reviewers expect a properly defined role from the roles and parties defined in the tables 5.x in Other Designated Contacts and 9.3 Types of Users where conceivably different specific administrative users are defined and they must be specified for "owning" the implementation statement and its associated parameters.

This is analogous to the following snippet in the OSCAL SSP XML sample in the guidance docs.

   <metadata>
      <role id="admin-unix">
         <title>Unix Administrator</title>
      </role>
   </metadata>

  <!-- Fragment: -->
   <system-implementation>
      <user uuid="uuid-value">
         <role-id>admin-unix</role-id>
      </user>
   </system-implementation >

   <!-- system-implementation -->
   <control-implementation>
      <implemented-requirement uuid="uuid-value" control-id="ac-2">
         <!-- cut -->
         <responsible-role role-id="admin-unix" />
         <set-parameter param-id="ac-1_prm_a">
            <value>System Manager, System Architect, ISSO</value>
         </set-parameter >
         <!-- cut -->
   </control-implementation>

Preconditions

• Preconditions...

Acceptance Critera

• Acceptance criteria...

Story Tasks

• Tasks...

Definition of Done

• Acceptance criteria met - Each user story should meet the acceptance criteria in the description
• Unit test coverage of our code > 90% (from QASP) this may be fuzzy and hard to prove
• Code quality checks passed - Enable html tidy with XML code standards as part of the build (from QASP)
• Accessibility: (from QASP) as we create guidance or documentation and reports (semantic tagging including aria tags): demonstrate with 0 errors reported for WCAG 2.1 AA standards using an automated scanner and 0 errors reported in manual testing
• Code reviewed - Code reviewed by at least one other team members (or developed by a pair)
• Source code merged - Code that’s demoed must be in source control and merged
• Code must successfully build and deploy into staging environment (from QASP): this may evolve from xslt sh pipline into something more
• Security reviewed and reported - Conduct vulnerability and compliance scanning. threat modeling?
• Code submitted must be free of medium- and high-level static and dynamic security vulnerabilities (from QASP)
• Usability tests passed - Each user story should be easy to use by target users (development community? FedRAMP FART team)
• Usability testing and other user research methods must be conducted at regular intervals throughout the development process (not just at the beginning or end). (from QASP)
• Code refactored for clarity - Code must be clean, self-documenting
• No local design debt
• Load/performance tests passed - test data needed - saxon instrumentation
• Documentation generated - update readme or contributing markdown as necessary.
• Architectural Decision Record completed as necessary for significant design choices

[GaryGapinski]

Closed by #116.