OSCAL
OSCAL copied to clipboard
usnistgov
assessment-assets missing in POAM's local-definitions
Describe the bug
In circumstances where a POAM is provided without a System Security Plan (SSP), for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M, there is no means to specify the definitions of components and assessment-platforms used in the assessment and referenced by an origin's actor as the source of the information. As a result there is no means to resolve/lookup details about the referenced actor.
{A clear and concise description of what the bug is.}
Who is the bug affecting?
What is affected by this bug?
{Describe the impact the bug is having.}
When does this occur?
{Describe the conditions under which the bug is occurring.}
How do we replicate the issue?
{What are the steps to reproduce the behavior?
- Do this...
- Then this...
- See error
If applicable, add screenshots to help explain your problem.}
Expected behavior (i.e. solution)
The local-definition of the POAM should be revised to contain an assessment-assets field that would enable definitions for both components or assessment-platforms used in the assessment to be defined so that references can be resolved.
Other Comments
{Add any other context about the problem here.}
To correct this assessment-assets needs to be added to local-definitions in the POAM model to allow for the assessment tooling to be cross-referenced. This should have the same structure as the local-definitions/assessment-assets allowed in the OSCAL assessment-results model.
