Mapping details for Original Risk Rating, Comments, and Auto Approve missing

[spencermcginnis]

This is a ...

request - need something additional provided

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What is your feedback?

I could not find any mapping details or context for the incorporating the Original Risk Rating, Comments, and Auto Approve attributes into an OSCAL based POAM submission.

Where, exactly?

It relates to the published implementation guidance for implementing OSCAL for POAM reporting (rev 5). The guide explicitly mentions all other columns that appear in the human readable version of the POAM reporting template, but does not appear to directly address these three attributes. I would have expected to find information about this in section 4.2, but am unable to find any references to these attributes anywhere in the guide.

Other information

No response

[Rene2mt]

The POA&M user guide will need to be updated with more details. Please see the guidance below.

POA&M - Original Risk Rating
The following illustrates how to represent to original risk rating (XML example | JSON example). The original risk is captured in the risk assembly (plan-of-action-and-milestones\risk\characterization\facet["risk"]) with a child assembly state="initial". Then, the poam-item just references the risk assembly (XML example | JSON example)

POA&M - Comments
The FedRAMP POA&M Template notes that the "Comments" column is "for additional information, not specified in another column". FedRAMP currently does not have specific assembly / object where this content must go, however, until such guidance is provide, the plan-of-action-and-milestones\poam-item\remarks can be used for that purpose. Alternatively, a custom namespace prop could be added to the poam-item to capture POA&M comments.

POA&M - Auto Approve
The FedRAMP POA&M Template notes that the "Auto-Approve" column is for determining "Whether the deviation request was auto-approved or manually approved". While this is in the template, it has not been operationalized yet by FedRAMP. Discussions and planning regarding the scope (what DRs can be auto-approved? Risk Adjustments? False Positives?) and more importantly, what are the requirements around automated DR approvals could/should be granted are being sorted out. Once the scope and requirements are defined, we will work with the community to propose guidance for handling this in OSCAL.