RubyGems - onc_certification_g10_test_kit - Versions diffs - 3.1.0 → 3.3.0 - Mend

onc_certification_g10_test_kit 3.1.0 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

data/lib/onc_certification_g10_test_kit/single_patient_api_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SinglePatientAPIGroup < Inferno::TestGroup
     id :g10_single_patient_api
@@ -92,5 +94,7 @@ module ONCCertificationG10TestKit
       group(from: id, exclude_optional: true, config: group_config)
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup
   end
 end

data/lib/onc_certification_g10_test_kit/single_patient_us_core_4_api_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SinglePatientUSCore4APIGroup < Inferno::TestGroup
     id :g10_single_patient_us_core_4_api
@@ -92,5 +94,7 @@ module ONCCertificationG10TestKit
       group(from: id, exclude_optional: true, config: group_config)
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup
   end
 end

data/lib/onc_certification_g10_test_kit/single_patient_us_core_5_api_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SinglePatientUSCore5APIGroup < Inferno::TestGroup
     id :g10_single_patient_us_core_5_api
@@ -92,5 +94,7 @@ module ONCCertificationG10TestKit
       group(from: id, exclude_optional: true, config: group_config)
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup
   end
 end

data/lib/onc_certification_g10_test_kit/smart_app_launch_invalid_aud_group.rb CHANGED Viewed

@@ -91,7 +91,7 @@ module ONCCertificationG10TestKit
                 :smart_authorization_url
     test from: :smart_app_redirect do
-      required_suite_options smart_app_launch_version: 'smart_app_launch_1'
+      required_suite_options G10Options::SMART_1_REQUIREMENT
       input :client_secret,
             name: :standalone_client_secret,
@@ -118,7 +118,7 @@ module ONCCertificationG10TestKit
     end
     test from: :smart_app_redirect_stu2 do
-      required_suite_options smart_app_launch_version: 'smart_app_launch_2'
+      required_suite_options G10Options::SMART_2_REQUIREMENT
       config(
         inputs: {

data/lib/onc_certification_g10_test_kit/smart_ehr_patient_launch_group.rb CHANGED Viewed

@@ -1,17 +1,29 @@
+require_relative 'patient_scope_test'
 module ONCCertificationG10TestKit
   class SMARTEHRPatientLaunchGroup < SMARTAppLaunch::EHRLaunchGroup
     title 'EHR Launch with Patient Scopes'
     description %(
       # Background
+      Systems are required to support the `permission-patient` capability as
+      part of the [Clinician Access for EHR Launch Capability
+      Set.](http://hl7.org/fhir/smart-app-launch/1.0.0/conformance/index.html#clinician-access-for-ehr-launch)
+      Additionally, if an application launched from an EHR requests and is
+      granted a clinical scope restricted to a single patient, the EHR SHALL
+      establish a patient in context.
-      If an application launched from an EHR requests and is granted a clinical
-      scope restricted to a single patient, the EHR SHALL establish a patient in
-      context.
+      Register Inferno as an EHR-launched application using patient-level scopes
+      and the following URIs:
+      * Launch URI: `#{SMARTAppLaunch::AppLaunchTest.config.options[:launch_uri]}`
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
       # Test Methodology
       Inferno will attempt an EHR Launch with a clinical scope restricted to a
-      single patient and verify that a patient id is received.
+      single patient and verify that a patient-level scope is granted and a
+      patient id is received.
       For more information on the #{title}
@@ -43,6 +55,9 @@ module ONCCertificationG10TestKit
         launch: {
           name: :ehr_patient_launch
         },
+        received_scopes: {
+          name: :ehr_patient_received_scopes
+        },
         smart_credentials: {
           name: :ehr_patient_smart_credentials
         },
@@ -67,6 +82,7 @@ module ONCCertificationG10TestKit
         patient_id: { name: :ehr_patient_patient_id },
         encounter_id: { name: :ehr_patient_encounter_id },
         received_scopes: { name: :ehr_patient_received_scopes },
+        requested_scopes: { name: :ehr_patient_requested_scopes },
         intent: { name: :ehr_patient_intent },
         smart_credentials: { name: :ehr_patient_smart_credentials }
       },
@@ -89,5 +105,12 @@ module ONCCertificationG10TestKit
              smart_credentials: { name: :ehr_patient_smart_credentials }
            }
          }
+    test from: :g10_patient_scope,
+         config: {
+           options: {
+             scope_version: :v1
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/smart_ehr_patient_launch_group_stu2.rb CHANGED Viewed

@@ -1,17 +1,29 @@
+require_relative 'patient_scope_test'
 module ONCCertificationG10TestKit
   class SMARTEHRPatientLaunchGroupSTU2 < SMARTAppLaunch::EHRLaunchGroupSTU2
     title 'EHR Launch with Patient Scopes'
     description %(
       # Background
+      Systems are required to support the `permission-patient` capability as
+      part of the [Clinician Access for EHR Launch Capability
+      Set.](http://hl7.org/fhir/smart-app-launch/STU2/conformance.html#clinician-access-for-ehr-launch)
+      Additionally, if an application launched from an EHR requests and is
+      granted a clinical scope restricted to a single patient, the EHR SHALL
+      establish a patient in context.
-      If an application launched from an EHR requests and is granted a clinical
-      scope restricted to a single patient, the EHR SHALL establish a patient in
-      context.
+      Register Inferno as an EHR-launched application using patient-level scopes
+      and the following URIs:
+      * Launch URI: `#{SMARTAppLaunch::AppLaunchTest.config.options[:launch_uri]}`
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
       # Test Methodology
       Inferno will attempt an EHR Launch with a clinical scope restricted to a
-      single patient and verify that a patient id is received.
+      single patient and verify that a patient-level scope is granted and a
+      patient id is received.
       For more information on the #{title}
@@ -43,6 +55,9 @@ module ONCCertificationG10TestKit
         launch: {
           name: :ehr_patient_launch
         },
+        received_scopes: {
+          name: :ehr_patient_received_scopes
+        },
         smart_credentials: {
           name: :ehr_patient_smart_credentials
         },
@@ -67,6 +82,7 @@ module ONCCertificationG10TestKit
         patient_id: { name: :ehr_patient_patient_id },
         encounter_id: { name: :ehr_patient_encounter_id },
         received_scopes: { name: :ehr_patient_received_scopes },
+        requested_scopes: { name: :ehr_patient_requested_scopes },
         intent: { name: :ehr_patient_intent },
         smart_credentials: { name: :ehr_patient_smart_credentials }
       },
@@ -90,5 +106,12 @@ module ONCCertificationG10TestKit
              smart_credentials: { name: :ehr_patient_smart_credentials }
            }
          }
+    test from: :g10_patient_scope,
+         config: {
+           options: {
+             scope_version: :v2
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb CHANGED Viewed

@@ -60,7 +60,7 @@ module ONCCertificationG10TestKit
     input_order :url, :ehr_client_id, :ehr_client_secret
     group from: :smart_discovery do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -80,7 +80,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_discovery_stu2 do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -95,7 +95,6 @@ module ONCCertificationG10TestKit
                  'permission-offline',
                  'permission-user',
                  'authorize-post',
-                 'permission-v1',
                  'permission-v2'
                ]
              }
@@ -103,7 +102,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_ehr_launch do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       title 'EHR Launch With Practitioner Scope'
       input :client_secret,
@@ -173,7 +172,7 @@ module ONCCertificationG10TestKit
                access_token: { name: :ehr_access_token }
              }
            },
-           required_suite_options: { us_core_version: 'us_core_5' }
+           required_suite_options: G10Options::US_CORE_5_REQUIREMENT
       test do
         title 'Launch context contains smart_style_url which links to valid JSON'
@@ -221,6 +220,22 @@ module ONCCertificationG10TestKit
                  'Token response did not contain `need_patient_banner`'
         end
       end
+      tests[2].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[5].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_ehr_launch_stu2,
@@ -240,7 +255,7 @@ module ONCCertificationG10TestKit
               }
             }
           } do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       title 'EHR Launch With Practitioner Scope'
       input :client_secret,
@@ -309,7 +324,7 @@ module ONCCertificationG10TestKit
                access_token: { name: :ehr_access_token }
              }
            },
-           required_suite_options: { us_core_version: 'us_core_5' }
+           required_suite_options: G10Options::US_CORE_5_REQUIREMENT
       test do
         title 'Launch context contains smart_style_url which links to valid JSON'
@@ -357,6 +372,22 @@ module ONCCertificationG10TestKit
                  'Token response did not contain `need_patient_banner`'
         end
       end
+      tests[2].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[5].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_openid_connect,
@@ -417,5 +448,25 @@ module ONCCertificationG10TestKit
                patient_id: ehr_patient_id
       end
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_auth_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :auth_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_token_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :token_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/smart_invalid_pkce_group.rb CHANGED Viewed

@@ -19,7 +19,7 @@ module ONCCertificationG10TestKit
       oauth2_params = {
         grant_type: 'authorization_code',
-        code: code,
+        code:,
         redirect_uri: config.options[:redirect_uri]
       }

data/lib/onc_certification_g10_test_kit/smart_invalid_token_group.rb CHANGED Viewed

@@ -186,7 +186,7 @@ module ONCCertificationG10TestKit
         oauth2_params = {
           grant_type: 'authorization_code',
-          code: code,
+          code:,
           redirect_uri: config.options[:redirect_uri]
         }
         oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }

data/lib/onc_certification_g10_test_kit/smart_invalid_token_group_stu2.rb CHANGED Viewed

@@ -188,7 +188,7 @@ module ONCCertificationG10TestKit
         oauth2_params = {
           grant_type: 'authorization_code',
-          code: code,
+          code:,
           redirect_uri: config.options[:redirect_uri]
         }
         oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }

data/lib/onc_certification_g10_test_kit/smart_limited_app_group.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require_relative 'g10_options'
 require_relative 'patient_context_test'
 require_relative 'limited_scope_grant_test'
 require_relative 'restricted_resource_type_access_group'
@@ -80,7 +81,7 @@ module ONCCertificationG10TestKit
           Sequence](http://hl7.org/fhir/smart-app-launch/1.0.0/index.html#standalone-launch-sequence)
       )
-      required_suite_options smart_app_launch_version: 'smart_app_launch_1'
+      required_suite_options G10Options::SMART_1_REQUIREMENT
       config(
         inputs: {
@@ -203,7 +204,7 @@ module ONCCertificationG10TestKit
           Sequence](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
       )
-      required_suite_options smart_app_launch_version: 'smart_app_launch_2'
+      required_suite_options G10Options::SMART_2_REQUIREMENT
       config(
         inputs: {

data/lib/onc_certification_g10_test_kit/smart_scopes_test.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 module ONCCertificationG10TestKit
   class SMARTScopesTest < Inferno::Test
+    include G10Options
     title 'Patient-level access with OpenID Connect and Refresh Token scopes used.'
     description %(
       The scopes being input must follow the guidelines specified in the
@@ -62,13 +64,13 @@ module ONCCertificationG10TestKit
       (PATIENT_COMPARTMENT_RESOURCE_TYPES + ['ServiceRequest']).freeze
     def patient_compartment_resource_types
-      return PATIENT_COMPARTMENT_RESOURCE_TYPES unless suite_options[:us_core_version] == 'us_core_5'
+      return PATIENT_COMPARTMENT_RESOURCE_TYPES unless using_us_core_5?
       V5_PATIENT_COMPARTMENT_RESOURCE_TYPES
     end
     def valid_resource_types
-      return VALID_RESOURCE_TYPES unless suite_options[:us_core_version] == 'us_core_5'
+      return VALID_RESOURCE_TYPES unless using_us_core_5?
       V5_VALID_RESOURCE_TYPES
     end

data/lib/onc_certification_g10_test_kit/smart_standalone_patient_app_group.rb CHANGED Viewed

@@ -5,6 +5,7 @@ require_relative 'smart_scopes_test'
 require_relative 'unauthorized_access_test'
 require_relative 'unrestricted_resource_type_access_group'
 require_relative 'well_known_capabilities_test'
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SmartStandalonePatientAppGroup < Inferno::TestGroup
@@ -56,7 +57,7 @@ module ONCCertificationG10TestKit
     input_order :url, :standalone_client_id, :standalone_client_secret
     group from: :smart_discovery do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -75,7 +76,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_discovery_stu2 do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -89,16 +90,14 @@ module ONCCertificationG10TestKit
                  'permission-offline',
                  'permission-patient',
                  'authorize-post',
-                 'permission-v1',
                  'permission-v2'
                ]
              }
            }
     end
     group from: :smart_standalone_launch do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       title 'Standalone Launch With Patient Scope'
       description %(
@@ -179,6 +178,22 @@ module ONCCertificationG10TestKit
                smart_credentials: { name: :standalone_smart_credentials }
              }
            }
+      tests[0].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[3].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_standalone_launch_stu2,
@@ -198,7 +213,7 @@ module ONCCertificationG10TestKit
               }
             }
           } do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       title 'Standalone Launch With Patient Scope'
       description %(
@@ -279,6 +294,22 @@ module ONCCertificationG10TestKit
                smart_credentials: { name: :standalone_smart_credentials }
              }
            }
+      tests[0].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[3].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_openid_connect,
@@ -349,5 +380,25 @@ module ONCCertificationG10TestKit
                patient_id: standalone_patient_id
       end
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_auth_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :auth_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_token_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :token_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/tasks/test_procedure.rb CHANGED Viewed

@@ -53,7 +53,7 @@ module ONCCertificationG10TestKit
               second_prefix, _, ending = second.rpartition('.')
               raise "'#{prefix}' != '#{second_prefix}' in #{@group} #{@id}" unless prefix == second_prefix
-              (beginning.to_i..ending.to_i).map { |index| "#{prefix}.#{format('%02<index>d', { index: index })}" }
+              (beginning.to_i..ending.to_i).map { |index| "#{prefix}.#{format('%02<index>d', { index: })}" }
             else
               [test]
             end

data/lib/onc_certification_g10_test_kit/terminology_binding_validator.rb CHANGED Viewed

@@ -51,7 +51,7 @@ module ONCCertificationG10TestKit
     def add_warning(message)
       validation_messages << {
         type: 'warning',
-        message: message
+        message:
       }
     end

data/lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require_relative 'g10_options'
 require_relative 'resource_access_test'
 module ONCCertificationG10TestKit
@@ -111,6 +112,8 @@ module ONCCertificationG10TestKit
       (NON_PATIENT_COMPARTMENT_RESOURCES - ['Encounter'] + ['ServiceRequest']).freeze
     test do
+      include G10Options
       title 'Scope granted enables access to all US Core resource types.'
       description %(
         This test confirms that the scopes granted during authorization are
@@ -118,13 +121,13 @@ module ONCCertificationG10TestKit
       )
       def all_resources
-        return V5_ALL_RESOURCES if suite_options[:us_core_version] == 'us_core_5'
+        return V5_ALL_RESOURCES if using_us_core_5?
         ALL_RESOURCES
       end
       def non_patient_compartment_resources
-        return V5_NON_PATIENT_COMPARTMENT_RESOURCES if suite_options[:us_core_version] == 'us_core_5'
+        return V5_NON_PATIENT_COMPARTMENT_RESOURCES if using_us_core_5?
         NON_PATIENT_COMPARTMENT_RESOURCES
       end
@@ -335,7 +338,7 @@ module ONCCertificationG10TestKit
       )
       id :g10_encounter_unrestricted_access
-      required_suite_options us_core_version: 'us_core_5'
+      required_suite_options G10Options::US_CORE_5_REQUIREMENT
       def resource_group
         USCoreTestKit::USCoreV501::EncounterGroup
@@ -349,7 +352,7 @@ module ONCCertificationG10TestKit
       )
       id :g10_service_request_unrestricted_access
-      required_suite_options us_core_version: 'us_core_5'
+      required_suite_options G10Options::US_CORE_5_REQUIREMENT
       def resource_group
         USCoreTestKit::USCoreV501::ServiceRequestGroup

data/lib/onc_certification_g10_test_kit/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ONCCertificationG10TestKit
-  VERSION = '3.1.0'.freeze
+  VERSION = '3.3.0'.freeze
 end

data/lib/onc_certification_g10_test_kit/visual_inspection_and_attestations_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'g10_options'
 module ONCCertificationG10TestKit
   class VisualInspectionAndAttestationsGroup < Inferno::TestGroup
     title 'Visual Inspection and Attestation'
@@ -374,7 +376,7 @@ module ONCCertificationG10TestKit
       )
       id 'Test11'
-      required_suite_options us_core_version: 'us_core_3'
+      required_suite_options G10Options::US_CORE_3_REQUIREMENT
       input :patient_suffix_attestation,
             title: 'Health IT developer demonstrates support for the Patient Demographics Suffix USCDI v1 element.',
@@ -416,7 +418,7 @@ module ONCCertificationG10TestKit
       )
       id 'Test12'
-      required_suite_options us_core_version: 'us_core_3'
+      required_suite_options G10Options::US_CORE_3_REQUIREMENT
       input :patient_previous_name_attestation,
             title: 'Health IT developer demonstrates support for the Patient Demographics Previous Name USCDI v1 element.', # rubocop:disable Layout/LineLength
@@ -522,5 +524,53 @@ module ONCCertificationG10TestKit
         pass public_url_attestation_notes if public_url_attestation_notes.present?
       end
     end
+    test do
+      title 'TLS version 1.2 or above must be enforced'
+      description %(
+        If TLS connections below version 1.2 have been allowed in any previous
+        tests, Health IT developers must document how the Health IT Module
+        enforces TLS version 1.2 or above.
+        If no TLS connections below version 1.2 have been allowed, no
+        documentation is necessary and this test will automatically pass.
+      )
+      id :g10_tls_version_attestation
+      input :unique_incorrectly_permitted_tls_versions_messages,
+            title: 'TLS Issues',
+            type: 'textarea',
+            locked: true,
+            optional: true
+      input :tls_documentation_required,
+            title: 'Health IT developers must document how the Health IT Module enforces TLs version 1.2 or above',
+            type: 'radio',
+            default: 'false',
+            locked: true,
+            options: {
+              list_options: [
+                {
+                  label: 'Yes',
+                  value: 'true'
+                },
+                {
+                  label: 'No',
+                  value: 'false'
+                }
+              ]
+            }
+      input :tls_version_attestation_notes,
+            title: 'Document how TLS version 1.2 or above is enforced, if required:',
+            type: 'textarea',
+            optional: true
+      run do
+        if tls_documentation_required == 'true'
+          assert tls_version_attestation_notes.present?,
+                 'Health IT developer did not document how the system under test enforces TLS version 1.2 or above'
+        end
+        pass tls_version_attestation_notes if tls_version_attestation_notes.present?
+      end
+    end
   end
 end