fedramp-automation icon indicating copy to clipboard operation
fedramp-automation copied to clipboard

Published 20 hours ago verified publisher icon GSA

What are the use cases for risk statement?

Open telosBA opened this issue 2 years ago • 0 comments

  • This is a ...

    • [ ] concern - I think something needs to be different.
    • [x] question - I didn't understand something.
    • [ ] kudos - I found something helpful and want to encourage it in future FedRAMP publications.
    • [ ] request - I would like to see something additional provided.

  • This relates to ...

    • [ ] the FedRAMP OSCAL Registry (Excel File)
    • [ ] the Guide to OSCAL-based FedRAMP Content (PDF)
    • [ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
    • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
    • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Reports (SAR) (PDF)
    • [x] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
    • [ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
    • [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
    • [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
    • [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
    • [ ] General/Overall
    • [ ] Other

NOTE: For feedback related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

  • Where, exactly?

    • For the registry, please indicate the tab and cell, or other clear identifier
    • For the guide, please indicate the section number and printed page number (lower right corner)
    • For the OSCAL XML or JSON files, please indicate XML or JSON; and indicate the line number, field id, or other clear location identifier

  • What is your feedback? Section 4.5.1 containing "Risk statement" statement e.g. <statement> <p>This is the tool-provided statement about the identified risk.</p> <p>If no risk statement from tool, set to 'No Risk Statement'.</p> </statement> <status>open</status>

  • What version of OSCAL are you using? (Check our info on supported OSCAL versions)

  • What action would you like to see from the FedRAMP PMO?

If risk is not created by a tool but rather a person, how is risk statement leveraged?

  • Other information (e.g. detailed explanation, related issues, suggestions how to fix, links for us to have context, eg. slack, gitter, etc)

telosBA avatar Sep 08 '22 19:09 telosBA