Open spencermcginnis opened 7 months ago
The POA&M user guide will need to be updated with more details. Please see the guidance below.
POA&M - Original Risk Rating
The following illustrates how to represent to original risk rating (XML example | JSON example). The original risk is captured in the risk assembly (plan-of-action-and-milestones\risk\characterization\facet["risk"]
) with a child assembly state="initial"
. Then, the poam-item
just references the risk assembly (XML example | JSON example)
POA&M - Comments
The FedRAMP POA&M Template notes that the "Comments" column is "for additional information, not specified in another column". FedRAMP currently does not have specific assembly / object where this content must go, however, until such guidance is provide, the plan-of-action-and-milestones\poam-item\remarks
can be used for that purpose. Alternatively, a custom namespace prop could be added to the poam-item
to capture POA&M comments.
POA&M - Auto Approve The FedRAMP POA&M Template notes that the "Auto-Approve" column is for determining "Whether the deviation request was auto-approved or manually approved". While this is in the template, it has not been operationalized yet by FedRAMP. Discussions and planning regarding the scope (what DRs can be auto-approved? Risk Adjustments? False Positives?) and more importantly, what are the requirements around automated DR approvals could/should be granted are being sorted out. Once the scope and requirements are defined, we will work with the community to propose guidance for handling this in OSCAL.
This is a ...
request - need something additional provided
This relates to ...
What is your feedback?
I could not find any mapping details or context for the incorporating the Original Risk Rating, Comments, and Auto Approve attributes into an OSCAL based POAM submission.
Where, exactly?
It relates to the published implementation guidance for implementing OSCAL for POAM reporting (rev 5). The guide explicitly mentions all other columns that appear in the human readable version of the POAM reporting template, but does not appear to directly address these three attributes. I would have expected to find information about this in section 4.2, but am unable to find any references to these attributes anywhere in the guide.
Other information
No response