GSA / fedramp-automation

FedRAMP Automation
https://www.fedramp.gov/using-the-fedramp-oscal-resources-and-templates/
Other
293 stars 89 forks source link

Mapping details for Original Risk Rating, Comments, and Auto Approve missing #588

Open spencermcginnis opened 7 months ago

spencermcginnis commented 7 months ago

This is a ...

request - need something additional provided

This relates to ...

What is your feedback?

I could not find any mapping details or context for the incorporating the Original Risk Rating, Comments, and Auto Approve attributes into an OSCAL based POAM submission.

Where, exactly?

It relates to the published implementation guidance for implementing OSCAL for POAM reporting (rev 5). The guide explicitly mentions all other columns that appear in the human readable version of the POAM reporting template, but does not appear to directly address these three attributes. I would have expected to find information about this in section 4.2, but am unable to find any references to these attributes anywhere in the guide.

Other information

No response

Rene2mt commented 6 months ago

The POA&M user guide will need to be updated with more details. Please see the guidance below.

POA&M - Original Risk Rating The following illustrates how to represent to original risk rating (XML example | JSON example). The original risk is captured in the risk assembly (plan-of-action-and-milestones\risk\characterization\facet["risk"]) with a child assembly state="initial". Then, the poam-item just references the risk assembly (XML example | JSON example)

POA&M - Comments The FedRAMP POA&M Template notes that the "Comments" column is "for additional information, not specified in another column". FedRAMP currently does not have specific assembly / object where this content must go, however, until such guidance is provide, the plan-of-action-and-milestones\poam-item\remarks can be used for that purpose. Alternatively, a custom namespace prop could be added to the poam-item to capture POA&M comments.

POA&M - Auto Approve The FedRAMP POA&M Template notes that the "Auto-Approve" column is for determining "Whether the deviation request was auto-approved or manually approved". While this is in the template, it has not been operationalized yet by FedRAMP. Discussions and planning regarding the scope (what DRs can be auto-approved? Risk Adjustments? False Positives?) and more importantly, what are the requirements around automated DR approvals could/should be granted are being sorted out. Once the scope and requirements are defined, we will work with the community to propose guidance for handling this in OSCAL.