Risk with multiple associated POAMs

[TelosPO]

If there are multiple POAM that share a Risk but there are different due dates for the respective POAMs what should the expected remediation date of the risk?

[aj-stein-nist]

Hello, we need some more details for this question to give a specific answer.

1. When you say "multiple POAM" do you mean multiple poam-items in one plan-of-action-and-milestones document or do you mean different poam-items in 2 or more plan-of-action-and-milestones documents? Are they connected to the same one set of assessment-plan and assessment-results documents or different ones? These details change the answer.
2. We would strongly recommend you provide an example to help us better understand the details around the questions asked in 1.
3. When we expand upon the details with 1 and 2, there may be one or more correct answers, or recommendations without a specific answer. The context matters regarding the security framework in use (Risk Management Framework SP 800-37/800-53 guidance) and the system(s) in this scenario. We may have to direct you to other points of contact in NIST or elsewhere to answer those questions later on.

[aj-stein-nist]

@TelosPO or @Telos-sa (I see both of you post issues here and in FedRAMP repos on behalf of Telos, so I assume you'll get the message to one another 😄), do you have any considerations regarding the follow-on details we asked for here? Thanks.

[aj-stein-nist]

OK @TelosPO or @Telos-sa and @ConnorHiteSA (I see you have an account now), I wanted to make sure we moved forward with an official answer from the NIST Team but have not heard back. We will leave it open for further discussion, but without further detail we cannot draft such an answer. By the end of the week if we do not hear back, I will remove this from the sprint (which ends on July 7th). We can always revisit an official answer later, but wanted to leave the door open.

[aj-stein-nist]

OK this has been removed from sprint, an official answer will come later then and the team will move onto other issues.

[Telos-sa]

@aj-stein-nist here is an example, with a collection of permutations, though I dont think it is exhaustive. Wrote notes for how we are handling deadline and status. Here there is one risk, and two related POAMs. So all activities for remediation are tracked in the risk, including seperate milestones for each of the POAMs, and the different statuses in the risk log, which we use to determine if a risk has been mitigated or is still open.

BLUF: should risks to POAMs ration be 1 to 1? FedRAMP has a requirement for a limit of 1 risk associated to each POAM, but that is not mutually exclusive. IE each poam has 1 risk, but 1 risk can have many poams. This is how we have set up the relationships. Just need confirmation that this was executed within scope, or if there should be adjustments.

Examples of RISK and POAM relationships:

"plan-of-action-and-milestones": {
....
"risks": [
{
"uuid": "9cbd98f3-abcb-4948-ad06-14e0bcba742f",
"title": "Inventory patching does not meet Requirements",
"status": "Status derived from a collection of all of the POAMs?
IE, if POAM 1 is remediated, but POAM 2 is not,
status set to 'remediating'",
"deadline": "90 Days from latest POAM, or 90 Days from First POAM
Or are we supposed to create a new Risk every time we identify same finding?
What if we allocate the deadline to the POAM and not the RISK?",
"remediations": [
{
"uuid": "8adc98f3-abcd-4958-ad06-14f0baba542c",
"lifecycle": "recommendation",
"title": "Tool's recommendation",
"description": "Patch Windows server 2019 to Patch 1234",
"origins": [
{
"actors": [
{
"type": "tool",
"actor-uuid": "1b3c69f2-eda6-55c1-ab52-732c1234a5c0"
}
]
}

                ]
            }, 
            {
                "uuid": "7adc98f3-abcd-4958-ad15-15f0baba542d", 
                "lifecycle": "completed", 
                "title": "CSP's Remediation Plan", 
                "description": "Patch Windows server 2019 to Patch 1234 on all windows servers", 
                "links": [
                    {
                        "href": "#1ace98e3-ac1b-4545-ae13-14e0bcba662f"
                    }
                ], 
                "tasks": [
                    {
                        "type": "milestone... associate to the specific POAM."
                        ...
                    }, 
                    {
                        "type": "milestone... associate to the specific POAM."
                        ...
                    }, 
                    {
                        "type": "milestone... associate to the specific POAM."
                        ...
                    }
                ]
            }, 
            {
                "uuid": "6cab98f3-abad-4951-ad12-15f0baba615d", 
                "lifecycle": "planned", 
                "title": "CSP's Remediation Plan", 
                "description": "Patch aws Linux2 Server to Patch 5523", 
                "links": [
                    {
                        "href": "#2ace98e3-ac1b-4545-ae13-14e0bcba662e"
                    }
                ], 
                "tasks": [
                    {
                        "type": "milestone... associate to the specific POAM."
                        ...
                    }, 
                    {
                        "type": "milestone... associate to the specific POAM."
                        ...
                    }, 
                    {
                        "type": "milestone... associate to the specific POAM."
                        ...
                    }
                ]
            }
        ], 
        "risk-log": {
            "entries": [
                {
                    "title": "Finished Milestone",
                    ...
                    "start": "milestone start Date", 
                    "end": "date Milestone was completed", 
                    "props": [
                        "name": "type", 
                        "value": "milestone-complete"
                    ], 
                    "links": [
                        {
                            "href": "#2ace98e3-ac1b-4545-ae13-14e0bcba662e"
                        }
                    ]
                }, 
                {
                    "title": "Finished Milestone",
                    ...
                    "start": "milestone start Date", 
                    "end": "date Milestone was completed", 
                    "props": [
                        "name": "type", 
                        "value": "milestone-complete"
                    ], 
                    "links": [
                        {
                            "href": "#9cbd98f3-abcb-4948-ad06-14e0bcba742f"
                        }
                    ]
                }, 
                {
                    "title": "POAM Remediated",
                    ...
                    "start": "date POAM was opened", 
                    "end": "date POAM was completed", 
                    "props": [
                        "name": "type", 
                        "value": "remediated"
                    ], 
                    "links": [
                        {
                            "href": "#9cbd98f3-abcb-4948-ad06-14e0bcba742f"
                        }
                    ]
                }
            ]
        }            
    }
], 
"poam-items": [
    {
        "uuid": "1ace98e3-ac1b-4545-ae13-14e0bcba662f",
        "title": "Windows server not patched",
        ...
        "related-risks": [
            {
                "risk-uuid": "9cbd98f3-abcb-4948-ad06-14e0bcba742f"
            }
        ]
    }, 
    {
        "uuid": "2ace98e3-ac1b-4545-ae13-14e0bcba662e",
        "title": "Linux server not patched",
        ...
        "related-risks": [
            {
                "risk-uuid": "9cbd98f3-abcb-4948-ad06-14e0bcba742f"
            }
        ]
    }
]

}

[aj-stein-nist]

Thanks again and apologies for the delay. We are now in the middle of a release sprint. We will get back to you once we re-prioritize this work in a sprint later in July or beginning of August.

[Telos-sa]

Thanks for the update A.J! We will standby for additional details Stephanie Lacy | Senior Solutions Architect ***@***.*** | www.telos.com

…

________________________________ From: A.J. Stein ***@***.***> Sent: Tuesday, July 11, 2023 4:02:09 PM To: usnistgov/OSCAL Cc: Telos Solutions Architects; Mention Subject: [Caution: External] Re: [usnistgov/OSCAL] Risk with multiple associated POAMs (Discussion #1619) Thanks again and apologies for the delay. We are now in the middle of a release sprint. We will get back to you once we re-prioritize this work in a sprint later in July or beginning of August. — Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_OSCAL_discussions_1619-23discussioncomment-2D6420140&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=aZVxjTHk7mAn8MjPxoOsLuJCYNn-SnzZps4Qu9_M-dY0LFJu_RqwY561z0OcVBtc&s=ztjijL9Qlk6h1KFNuO4-W681sPdKcjFjZNVOFwQfcUU&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_A6KF2RM3RXGAFR7CLNLJTSTXPWWMDANCNFSM6AAAAAAT7TC63I&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=aZVxjTHk7mAn8MjPxoOsLuJCYNn-SnzZps4Qu9_M-dY0LFJu_RqwY561z0OcVBtc&s=B-PXK2oJCljJLuWZFZPdQLTDpsJAlGBBIYef4_sZwCM&e=>. You are receiving this because you were mentioned.Message ID: ***@***.***>