lifecycle "recommendation" is required - what is tool doesnt provide level of detail

[Telos-sa]

• This is a ... Concern

• This relates to ...

  • [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
  • [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)

• Where, exactly? Section 4.3 - review of lifecycle requirements.

• What is your feedback? Recommend reviewing this section. If the tool does not provide a recommendation, or if the test was manual (no tool used) it will be an assessors recommendation, not a tool recommendation. The guidance here needs to be expanded on to cover all possible use cases and their requirements.

• Is this report specifically related to the Word or Excel files from fedramp.gov? If NO

• **What version of OSCAL are you using? (Check our info on [supported OSCAL versions](https://github.com/GSA/fedramp-1.02 and 1.04

• What action would you like to see from the FedRAMP PMO? Would like to see flushed out guidance for this piece of the fedRAMP OSCAL model, including how it ties specifically to the current manual process. There are not enough indicators or guidance to tell a user how to convert from manual to OSCAL when it comes to POAMs, because it is tied so closely to SAP and SAR. Recommend including those references within the guidance.

[rachkim00]

+1 to this issue. We are facing the same issue as the validation rule also defines as 'error' , not 'warning'.