In the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) §4.3 (p18 in rev4 guide and p21 in rev5 guide).
What is your feedback?
The guide says:
Within the risk assembly, there must be a response assembly containing the tool's recommended mitigation. The type flag
must be set to "recommendation".
However, not all scanning tools provide recommendations. We need to relax this rule (both in guide and validation rules) to accommodate CSPs using a tool that doesn't provide recommendations.
Also, given the current legacy POAM structure, it is hard for response assembly to have both 'recommendation' and 'planned' as it is only duplicating the same content with different lifecycle type. Also, POAM items are accumulated over time, so we are looking at 2k+ lines being duplicated for this section. We need more scalable guidance.
**Is this report specifically related to [the Word or Excel files from fedramp.gov?]
No
What action would you like to see from the FedRAMP PMO?
Updated guidance on the recommendation in the response assembly under POAM
Other information (e.g. detailed explanation, related issues, suggestions how to fix, links for us to have context, eg. slack, gitter, etc)
Validation rule needs to be also updated. Recommend making it from 'Error' to 'Warning' with the note that, "if tool provides recommendations" then tool provided recommendations need to be documented in the response assembly.
This is a ...
This relates to ...
NOTE: For feedback related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.
In the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) §4.3 (p18 in rev4 guide and p21 in rev5 guide).
However, not all scanning tools provide recommendations. We need to relax this rule (both in guide and validation rules) to accommodate CSPs using a tool that doesn't provide recommendations.
Also, given the current legacy POAM structure, it is hard for response assembly to have both 'recommendation' and 'planned' as it is only duplicating the same content with different lifecycle type. Also, POAM items are accumulated over time, so we are looking at 2k+ lines being duplicated for this section. We need more scalable guidance.
**Is this report specifically related to [the Word or Excel files from fedramp.gov?] No
What version of OSCAL are you using? (Check our info on supported OSCAL versions)
What action would you like to see from the FedRAMP PMO? Updated guidance on the recommendation in the response assembly under POAM
Other information (e.g. detailed explanation, related issues, suggestions how to fix, links for us to have context, eg. slack, gitter, etc) Validation rule needs to be also updated. Recommend making it from 'Error' to 'Warning' with the note that, "if tool provides recommendations" then tool provided recommendations need to be documented in the response assembly.