Properly hoist response point corrections.

Put them in the right locations in the report instead of repeating them ad nauseam.
18F · Jan 12, 2021 · 7b2dbfa · 7b2dbfa
1 parent d7f18db
commit 7b2dbfa
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/resources/validations/src/ssp.sch b/resources/validations/src/ssp.sch
@@ -241,13 +241,20 @@
         <sch:let name="all-missing" value="$required-controls[not(@id = $implemented/@control-id)]"/>
         <sch:let name="core-missing" value="$required-controls[o:prop[@name='CORE' and @ns=$registry-ns] and @id = $all-missing/@id]"/>
         <sch:let name="extraneous" value="$implemented[not(@control-id = $required-controls/@id)]"/>
+        <sch:let name="required-response-points" value="$selected-profile/o:catalog//o:part[@name='item']"/>
+        <sch:let name="implemented-response-points" value="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement"/>
+        <sch:let name="missing-response-points" value="$required-response-points[not(@id = $implemented-response-points/@statement-id)]"/>
         <sch:report id="each-required-control-report" test="count($required-controls) > 0">The following <sch:value-of select="count($required-controls)"/><sch:value-of select="if (count($required-controls)=1) then ' control' else ' controls'"/> are required: <sch:value-of select="$required-controls/@id"/></sch:report>
         <sch:assert role="error" id="incomplete-core-implemented-requirements" test="not(exists($core-missing))">This SSP has not implemented the most important <sch:value-of select="count($core-missing)"/> core<sch:value-of select="if (count($core-missing)=1) then ' control' else ' controls'"/>: <sch:value-of select="$core-missing/@id"/></sch:assert>
         <sch:assert role="warn" id="incomplete-all-implemented-requirements" test="not(exists($all-missing))">This SSP has not implemented <sch:value-of select="count($all-missing)"/><sch:value-of select="if (count($all-missing)=1) then ' control' else ' controls'"/> overall: <sch:value-of select="$all-missing/@id"/></sch:assert>
         <sch:assert id="extraneous-implemented-requirements" test="not(exists($extraneous))">This SSP has implemented <sch:value-of select="count($extraneous)"/> extraneous<sch:value-of select="if (count($extraneous)=1) then ' control' else ' controls'"/> not needed given the selected profile: <sch:value-of select="$extraneous/@control-id"/></sch:assert>
         <sch:let name="results" value="$ok-values => lv:analyze(//o:implemented-requirement/o:annotation[@name='implementation-status'])"/>
         <sch:let name="total" value="$results/reports/@count"/>
         <sch:report id="control-implemented-requirements-stats" test="count($results/errors/error) = 0"><sch:value-of select="$results => lv:report() => normalize-space()"/></sch:report>
+        <sch:report id="implemented-response-points" test="exists($implemented-response-points)"
+            >This SSP has implemented a statement for each of the following lettered response points for required controls: <sch:value-of select="$implemented-response-points/@statement-id"/>.</sch:report>
+        <sch:assert role="error" id="missing-response-points" test="not(exists($missing-response-points))"
+            >This SSP has not implemented a statement for each of the following lettered response points for required controls: <sch:value-of select="$missing-response-points/@id"/>.</sch:assert>
     </sch:rule>
 
     <sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement">
@@ -257,14 +264,7 @@
         <sch:let name="registry-ns" value="$registry/f:fedramp-values/f:namespace/f:ns/@ns"/>
         <sch:let name="status" value="./o:annotation[@name='implementation-status']/@value"/>
         <sch:let name="corrections" value="lv:correct($registry/f:fedramp-values/f:value-set[@name='control-implementation-status'], $status)"/>
-        <sch:let name="required-response-points" value="$selected-profile/o:catalog//o:part[@name='item']"/>
-        <sch:let name="implemented" value="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement"/>
-        <sch:let name="missing" value="$required-response-points[not(@id = $implemented/@statement-id)]"/>
         <sch:assert role="error" id="invalid-implementation-status" test="not(exists($corrections))">Invalid status '<sch:value-of select="$status"/>' for <sch:value-of select="./@control-id"/>, must be <sch:value-of select="$corrections"/></sch:assert>
-        <sch:report id="implemented-response-points" test="exists($implemented)"
-            >This SSP has implemented a statement for each of the following lettered response points for required controls: <sch:value-of select="$implemented/@statement-id"/>.</sch:report>
-        <sch:assert role="error" id="missing-response-points" test="not(exists($missing))"
-            >This SSP has not implemented a statement for each of the following lettered response points for required controls: <sch:value-of select="$missing/@id"/>.</sch:assert>
     </sch:rule>
 
     <sch:rule context="/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:statement">