4.3 Recommended and Planned Remediation Rule

[rachkim00]

Extended Description As a CSP, creating OSCAL based POAM based on the legacy POAM data, I want to:

• easily use existing 'Overall Remediation Plan' data by assigning just 'lifecycle' status without further duplication.

Context: Currently, all types of remediation plan is melted in ‘Overall remediation Plan’. This requires significant manual work to sort this data and categorize them for each lifecycle status (recommended, planned, completed) in 'response' assembly. Also, there are cases where what the tool and 3PAO recommended is what the CSP is planned. In this case, this creates duplicate work for the CSP to clone the data just to assign different lifecycle. Also, it will look confusing in OSCAL file to have multiple same responses but different lifecycle status.

Suggest to remove the rule: Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) §4.3 - A risk must have a planned response & A risk must have a recommendation response. Or simply update from 'Errors' to 'Information' or 'Warning'.

Preconditions

• CSPs should be advised in the guide that they use 'lifecycle' status to correctly indicate the status of the response.

Acceptance Criteria

• [ ] All Schematron assertion messages are declarative statements which affirm the positive test outcome.
• [ ] All Schematron assertion diagnostic messages are declarative statements which explain the negative test outcome.
• [ ] The Schematron code has no assertion failures when validated using src/validations/styleguides/sch.sch using the basic phase.
• [ ] XSpec unit tests for positive and negative Schematron assertion outcomes accompany all Schematron assertions (where feasible).
• [x] Schematron rule is updated accordingly

Story Tasks

• [ ] Tasks…

Definition of Done

• [x ] Acceptance criteria met
• [ ] Unit test coverage of our code > 95%
• [ ] Automated code quality checks passed
• [ ] Security reviewed and reported
• [ ] Reviewed against plain language guidelines
• [ ] Code must be self-documenting
• [ ] No local tech debt
• [ ] Load/performance tests passed – needs to be created/automated
• [ x] Documentation updated
• [ ] Architectural Decision Record completed as necessary for significant design choices
• [ ] PR reviewed & approved
• [ ] Source code merged

[rachkim00]

Hello- following up to see if there has been any updates/progress on this item.