RubyGems - onc_certification_g10_test_kit - Versions diffs - 3.1.0 → 3.3.0 - Mend

onc_certification_g10_test_kit 3.1.0 → 3.3.0

Files changed (52) hide show

data/lib/onc_certification_g10_test_kit/single_patient_api_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SinglePatientAPIGroup < Inferno::TestGroup
     id :g10_single_patient_api
@@ -92,5 +94,7 @@ module ONCCertificationG10TestKit
       group(from: id, exclude_optional: true, config: group_config)
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup
   end
 end

data/lib/onc_certification_g10_test_kit/single_patient_us_core_4_api_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SinglePatientUSCore4APIGroup < Inferno::TestGroup
     id :g10_single_patient_us_core_4_api
@@ -92,5 +94,7 @@ module ONCCertificationG10TestKit
       group(from: id, exclude_optional: true, config: group_config)
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup
   end
 end

data/lib/onc_certification_g10_test_kit/single_patient_us_core_5_api_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SinglePatientUSCore5APIGroup < Inferno::TestGroup
     id :g10_single_patient_us_core_5_api
@@ -92,5 +94,7 @@ module ONCCertificationG10TestKit
       group(from: id, exclude_optional: true, config: group_config)
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup
   end
 end

data/lib/onc_certification_g10_test_kit/smart_app_launch_invalid_aud_group.rb CHANGED Viewed

@@ -91,7 +91,7 @@ module ONCCertificationG10TestKit
                 :smart_authorization_url
     test from: :smart_app_redirect do
-      required_suite_options smart_app_launch_version: 'smart_app_launch_1'
+      required_suite_options G10Options::SMART_1_REQUIREMENT
       input :client_secret,
             name: :standalone_client_secret,
@@ -118,7 +118,7 @@ module ONCCertificationG10TestKit
     end
     test from: :smart_app_redirect_stu2 do
-      required_suite_options smart_app_launch_version: 'smart_app_launch_2'
+      required_suite_options G10Options::SMART_2_REQUIREMENT
       config(
         inputs: {

data/lib/onc_certification_g10_test_kit/smart_ehr_patient_launch_group.rb CHANGED Viewed

@@ -1,17 +1,29 @@
+require_relative 'patient_scope_test'
 module ONCCertificationG10TestKit
   class SMARTEHRPatientLaunchGroup < SMARTAppLaunch::EHRLaunchGroup
     title 'EHR Launch with Patient Scopes'
     description %(
       # Background
+      Systems are required to support the `permission-patient` capability as
+      part of the [Clinician Access for EHR Launch Capability
+      Set.](http://hl7.org/fhir/smart-app-launch/1.0.0/conformance/index.html#clinician-access-for-ehr-launch)
+      Additionally, if an application launched from an EHR requests and is
+      granted a clinical scope restricted to a single patient, the EHR SHALL
+      establish a patient in context.
-      If an application launched from an EHR requests and is granted a clinical
-      scope restricted to a single patient, the EHR SHALL establish a patient in
-      context.
+      Register Inferno as an EHR-launched application using patient-level scopes
+      and the following URIs:
+      * Launch URI: `#{SMARTAppLaunch::AppLaunchTest.config.options[:launch_uri]}`
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
       # Test Methodology
       Inferno will attempt an EHR Launch with a clinical scope restricted to a
-      single patient and verify that a patient id is received.
+      single patient and verify that a patient-level scope is granted and a
+      patient id is received.
       For more information on the #{title}
@@ -43,6 +55,9 @@ module ONCCertificationG10TestKit
         launch: {
           name: :ehr_patient_launch
         },
+        received_scopes: {
+          name: :ehr_patient_received_scopes
+        },
         smart_credentials: {
           name: :ehr_patient_smart_credentials
         },
@@ -67,6 +82,7 @@ module ONCCertificationG10TestKit
         patient_id: { name: :ehr_patient_patient_id },
         encounter_id: { name: :ehr_patient_encounter_id },
         received_scopes: { name: :ehr_patient_received_scopes },
+        requested_scopes: { name: :ehr_patient_requested_scopes },
         intent: { name: :ehr_patient_intent },
         smart_credentials: { name: :ehr_patient_smart_credentials }
       },
@@ -89,5 +105,12 @@ module ONCCertificationG10TestKit
              smart_credentials: { name: :ehr_patient_smart_credentials }
            }
          }
+    test from: :g10_patient_scope,
+         config: {
+           options: {
+             scope_version: :v1
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/smart_ehr_patient_launch_group_stu2.rb CHANGED Viewed

@@ -1,17 +1,29 @@
+require_relative 'patient_scope_test'
 module ONCCertificationG10TestKit
   class SMARTEHRPatientLaunchGroupSTU2 < SMARTAppLaunch::EHRLaunchGroupSTU2
     title 'EHR Launch with Patient Scopes'
     description %(
       # Background
+      Systems are required to support the `permission-patient` capability as
+      part of the [Clinician Access for EHR Launch Capability
+      Set.](http://hl7.org/fhir/smart-app-launch/STU2/conformance.html#clinician-access-for-ehr-launch)
+      Additionally, if an application launched from an EHR requests and is
+      granted a clinical scope restricted to a single patient, the EHR SHALL
+      establish a patient in context.
-      If an application launched from an EHR requests and is granted a clinical
-      scope restricted to a single patient, the EHR SHALL establish a patient in
-      context.
+      Register Inferno as an EHR-launched application using patient-level scopes
+      and the following URIs:
+      * Launch URI: `#{SMARTAppLaunch::AppLaunchTest.config.options[:launch_uri]}`
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
       # Test Methodology
       Inferno will attempt an EHR Launch with a clinical scope restricted to a
-      single patient and verify that a patient id is received.
+      single patient and verify that a patient-level scope is granted and a
+      patient id is received.
       For more information on the #{title}
@@ -43,6 +55,9 @@ module ONCCertificationG10TestKit
         launch: {
           name: :ehr_patient_launch
         },
+        received_scopes: {
+          name: :ehr_patient_received_scopes
+        },
         smart_credentials: {
           name: :ehr_patient_smart_credentials
         },
@@ -67,6 +82,7 @@ module ONCCertificationG10TestKit
         patient_id: { name: :ehr_patient_patient_id },
         encounter_id: { name: :ehr_patient_encounter_id },
         received_scopes: { name: :ehr_patient_received_scopes },
+        requested_scopes: { name: :ehr_patient_requested_scopes },
         intent: { name: :ehr_patient_intent },
         smart_credentials: { name: :ehr_patient_smart_credentials }
       },
@@ -90,5 +106,12 @@ module ONCCertificationG10TestKit
              smart_credentials: { name: :ehr_patient_smart_credentials }
            }
          }
+    test from: :g10_patient_scope,
+         config: {
+           options: {
+             scope_version: :v2
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb CHANGED Viewed

@@ -60,7 +60,7 @@ module ONCCertificationG10TestKit
     input_order :url, :ehr_client_id, :ehr_client_secret
     group from: :smart_discovery do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -80,7 +80,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_discovery_stu2 do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -95,7 +95,6 @@ module ONCCertificationG10TestKit
                  'permission-offline',
                  'permission-user',
                  'authorize-post',
-                 'permission-v1',
                  'permission-v2'
                ]
              }
@@ -103,7 +102,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_ehr_launch do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       title 'EHR Launch With Practitioner Scope'
       input :client_secret,
@@ -173,7 +172,7 @@ module ONCCertificationG10TestKit
                access_token: { name: :ehr_access_token }
              }
            },
-           required_suite_options: { us_core_version: 'us_core_5' }
+           required_suite_options: G10Options::US_CORE_5_REQUIREMENT
       test do
         title 'Launch context contains smart_style_url which links to valid JSON'
@@ -221,6 +220,22 @@ module ONCCertificationG10TestKit
                  'Token response did not contain `need_patient_banner`'
         end
       end
+      tests[2].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[5].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_ehr_launch_stu2,
@@ -240,7 +255,7 @@ module ONCCertificationG10TestKit
               }
             }
           } do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       title 'EHR Launch With Practitioner Scope'
       input :client_secret,
@@ -309,7 +324,7 @@ module ONCCertificationG10TestKit
                access_token: { name: :ehr_access_token }
              }
            },
-           required_suite_options: { us_core_version: 'us_core_5' }
+           required_suite_options: G10Options::US_CORE_5_REQUIREMENT
       test do
         title 'Launch context contains smart_style_url which links to valid JSON'
@@ -357,6 +372,22 @@ module ONCCertificationG10TestKit
                  'Token response did not contain `need_patient_banner`'
         end
       end
+      tests[2].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[5].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_openid_connect,
@@ -417,5 +448,25 @@ module ONCCertificationG10TestKit
                patient_id: ehr_patient_id
       end
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_auth_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :auth_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_token_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :token_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/smart_invalid_pkce_group.rb CHANGED Viewed

@@ -19,7 +19,7 @@ module ONCCertificationG10TestKit
       oauth2_params = {
         grant_type: 'authorization_code',
-        code: code,
+        code:,
         redirect_uri: config.options[:redirect_uri]
       }

data/lib/onc_certification_g10_test_kit/smart_invalid_token_group.rb CHANGED Viewed

@@ -186,7 +186,7 @@ module ONCCertificationG10TestKit
         oauth2_params = {
           grant_type: 'authorization_code',
-          code: code,
+          code:,
           redirect_uri: config.options[:redirect_uri]
         }
         oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }

data/lib/onc_certification_g10_test_kit/smart_invalid_token_group_stu2.rb CHANGED Viewed

@@ -188,7 +188,7 @@ module ONCCertificationG10TestKit
         oauth2_params = {
           grant_type: 'authorization_code',
-          code: code,
+          code:,
           redirect_uri: config.options[:redirect_uri]
         }
         oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }

data/lib/onc_certification_g10_test_kit/smart_limited_app_group.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require_relative 'g10_options'
 require_relative 'patient_context_test'
 require_relative 'limited_scope_grant_test'
 require_relative 'restricted_resource_type_access_group'
@@ -80,7 +81,7 @@ module ONCCertificationG10TestKit
           Sequence](http://hl7.org/fhir/smart-app-launch/1.0.0/index.html#standalone-launch-sequence)
       )
-      required_suite_options smart_app_launch_version: 'smart_app_launch_1'
+      required_suite_options G10Options::SMART_1_REQUIREMENT
       config(
         inputs: {
@@ -203,7 +204,7 @@ module ONCCertificationG10TestKit
           Sequence](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
       )
-      required_suite_options smart_app_launch_version: 'smart_app_launch_2'
+      required_suite_options G10Options::SMART_2_REQUIREMENT
       config(
         inputs: {

data/lib/onc_certification_g10_test_kit/smart_scopes_test.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 module ONCCertificationG10TestKit
   class SMARTScopesTest < Inferno::Test
+    include G10Options
     title 'Patient-level access with OpenID Connect and Refresh Token scopes used.'
     description %(
       The scopes being input must follow the guidelines specified in the
@@ -62,13 +64,13 @@ module ONCCertificationG10TestKit
       (PATIENT_COMPARTMENT_RESOURCE_TYPES + ['ServiceRequest']).freeze
     def patient_compartment_resource_types
-      return PATIENT_COMPARTMENT_RESOURCE_TYPES unless suite_options[:us_core_version] == 'us_core_5'
+      return PATIENT_COMPARTMENT_RESOURCE_TYPES unless using_us_core_5?
       V5_PATIENT_COMPARTMENT_RESOURCE_TYPES
     end
     def valid_resource_types
-      return VALID_RESOURCE_TYPES unless suite_options[:us_core_version] == 'us_core_5'
+      return VALID_RESOURCE_TYPES unless using_us_core_5?
       V5_VALID_RESOURCE_TYPES
     end

data/lib/onc_certification_g10_test_kit/smart_standalone_patient_app_group.rb CHANGED Viewed

@@ -5,6 +5,7 @@ require_relative 'smart_scopes_test'
 require_relative 'unauthorized_access_test'
 require_relative 'unrestricted_resource_type_access_group'
 require_relative 'well_known_capabilities_test'
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SmartStandalonePatientAppGroup < Inferno::TestGroup
@@ -56,7 +57,7 @@ module ONCCertificationG10TestKit
     input_order :url, :standalone_client_id, :standalone_client_secret
     group from: :smart_discovery do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -75,7 +76,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_discovery_stu2 do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -89,16 +90,14 @@ module ONCCertificationG10TestKit
                  'permission-offline',
                  'permission-patient',
                  'authorize-post',
-                 'permission-v1',
                  'permission-v2'
                ]
              }
            }
     end
     group from: :smart_standalone_launch do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       title 'Standalone Launch With Patient Scope'
       description %(
@@ -179,6 +178,22 @@ module ONCCertificationG10TestKit
                smart_credentials: { name: :standalone_smart_credentials }
              }
            }
+      tests[0].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[3].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_standalone_launch_stu2,
@@ -198,7 +213,7 @@ module ONCCertificationG10TestKit
               }
             }
           } do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       title 'Standalone Launch With Patient Scope'
       description %(
@@ -279,6 +294,22 @@ module ONCCertificationG10TestKit
                smart_credentials: { name: :standalone_smart_credentials }
              }
            }
+      tests[0].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[3].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_openid_connect,
@@ -349,5 +380,25 @@ module ONCCertificationG10TestKit
                patient_id: standalone_patient_id
       end
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_auth_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :auth_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_token_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :token_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/tasks/test_procedure.rb CHANGED Viewed

@@ -53,7 +53,7 @@ module ONCCertificationG10TestKit
               second_prefix, _, ending = second.rpartition('.')
               raise "'#{prefix}' != '#{second_prefix}' in #{@group} #{@id}" unless prefix == second_prefix
-              (beginning.to_i..ending.to_i).map { |index| "#{prefix}.#{format('%02<index>d', { index: index })}" }
+              (beginning.to_i..ending.to_i).map { |index| "#{prefix}.#{format('%02<index>d', { index: })}" }
             else
               [test]
             end

data/lib/onc_certification_g10_test_kit/terminology_binding_validator.rb CHANGED Viewed

@@ -51,7 +51,7 @@ module ONCCertificationG10TestKit
     def add_warning(message)
       validation_messages << {
         type: 'warning',
-        message: message
+        message:
       }
     end

data/lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require_relative 'g10_options'
 require_relative 'resource_access_test'
 module ONCCertificationG10TestKit
@@ -111,6 +112,8 @@ module ONCCertificationG10TestKit
       (NON_PATIENT_COMPARTMENT_RESOURCES - ['Encounter'] + ['ServiceRequest']).freeze
     test do
+      include G10Options
       title 'Scope granted enables access to all US Core resource types.'
       description %(
         This test confirms that the scopes granted during authorization are
@@ -118,13 +121,13 @@ module ONCCertificationG10TestKit
       )
       def all_resources
-        return V5_ALL_RESOURCES if suite_options[:us_core_version] == 'us_core_5'
+        return V5_ALL_RESOURCES if using_us_core_5?
         ALL_RESOURCES
       end
       def non_patient_compartment_resources
-        return V5_NON_PATIENT_COMPARTMENT_RESOURCES if suite_options[:us_core_version] == 'us_core_5'
+        return V5_NON_PATIENT_COMPARTMENT_RESOURCES if using_us_core_5?
         NON_PATIENT_COMPARTMENT_RESOURCES
       end
@@ -335,7 +338,7 @@ module ONCCertificationG10TestKit
       )
       id :g10_encounter_unrestricted_access
-      required_suite_options us_core_version: 'us_core_5'
+      required_suite_options G10Options::US_CORE_5_REQUIREMENT
       def resource_group
         USCoreTestKit::USCoreV501::EncounterGroup
@@ -349,7 +352,7 @@ module ONCCertificationG10TestKit
       )
       id :g10_service_request_unrestricted_access
-      required_suite_options us_core_version: 'us_core_5'
+      required_suite_options G10Options::US_CORE_5_REQUIREMENT
       def resource_group
         USCoreTestKit::USCoreV501::ServiceRequestGroup

data/lib/onc_certification_g10_test_kit/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ONCCertificationG10TestKit
-  VERSION = '3.1.0'.freeze
+  VERSION = '3.3.0'.freeze
 end

data/lib/onc_certification_g10_test_kit/visual_inspection_and_attestations_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'g10_options'
 module ONCCertificationG10TestKit
   class VisualInspectionAndAttestationsGroup < Inferno::TestGroup
     title 'Visual Inspection and Attestation'
@@ -374,7 +376,7 @@ module ONCCertificationG10TestKit
       )
       id 'Test11'
-      required_suite_options us_core_version: 'us_core_3'
+      required_suite_options G10Options::US_CORE_3_REQUIREMENT
       input :patient_suffix_attestation,
             title: 'Health IT developer demonstrates support for the Patient Demographics Suffix USCDI v1 element.',
@@ -416,7 +418,7 @@ module ONCCertificationG10TestKit
       )
       id 'Test12'
-      required_suite_options us_core_version: 'us_core_3'
+      required_suite_options G10Options::US_CORE_3_REQUIREMENT
       input :patient_previous_name_attestation,
             title: 'Health IT developer demonstrates support for the Patient Demographics Previous Name USCDI v1 element.', # rubocop:disable Layout/LineLength
@@ -522,5 +524,53 @@ module ONCCertificationG10TestKit
         pass public_url_attestation_notes if public_url_attestation_notes.present?
       end
     end
+    test do
+      title 'TLS version 1.2 or above must be enforced'
+      description %(
+        If TLS connections below version 1.2 have been allowed in any previous
+        tests, Health IT developers must document how the Health IT Module
+        enforces TLS version 1.2 or above.
+        If no TLS connections below version 1.2 have been allowed, no
+        documentation is necessary and this test will automatically pass.
+      )
+      id :g10_tls_version_attestation
+      input :unique_incorrectly_permitted_tls_versions_messages,
+            title: 'TLS Issues',
+            type: 'textarea',
+            locked: true,
+            optional: true
+      input :tls_documentation_required,
+            title: 'Health IT developers must document how the Health IT Module enforces TLs version 1.2 or above',
+            type: 'radio',
+            default: 'false',
+            locked: true,
+            options: {
+              list_options: [
+                {
+                  label: 'Yes',
+                  value: 'true'
+                },
+                {
+                  label: 'No',
+                  value: 'false'
+                }
+              ]
+            }
+      input :tls_version_attestation_notes,
+            title: 'Document how TLS version 1.2 or above is enforced, if required:',
+            type: 'textarea',
+            optional: true
+      run do
+        if tls_documentation_required == 'true'
+          assert tls_version_attestation_notes.present?,
+                 'Health IT developer did not document how the system under test enforces TLS version 1.2 or above'
+        end
+        pass tls_version_attestation_notes if tls_version_attestation_notes.present?
+      end
+    end
   end
 end