You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This relates to OSCAL-based FedRAMP SSPs representing Table 7.1
User Story
As a creator of FedRAMP-compliant OSCAL SSP content, I need to better understand the Risks/Impact/Mitigation column in the Word SSP Template, Table 7.1 External Systems/Services, Interconnections, APIs, and CLIs Without FedRAMP Authorizations.
In particular, I need to understand:
Are risks identified related to this table expected to be in the POA&M?
Does this column exist as an intended summary of the POA&M entry?
Goals
Simply the OSCAL representation of this column as much as possible.
Ideally, any associated risks in table 7.1 require a POA&M entry. OSCAL content can be linked to the entry, and tools can display the associated POA&M item(s) when FedRAMP reviews this table.
This enables a reviewer to see the complete and up-to-date risk picture for the associated risk, while simultaneously reducing data redundancy and eliminating the need to maintain the information in both places.
@brian-ruf posted the following in the FedRAMP Team channel on Google Chat prior to creating this issue. The above screen shot of Table 7.1 was included.:
This is a ...
research - something needs to be investigated
This relates to OSCAL-based FedRAMP SSPs representing Table 7.1
User Story
As a creator of FedRAMP-compliant OSCAL SSP content, I need to better understand the Risks/Impact/Mitigation column in the Word SSP Template, Table 7.1 External Systems/Services, Interconnections, APIs, and CLIs Without FedRAMP Authorizations.
In particular, I need to understand:
Goals
Ideally, any associated risks in table 7.1 require a POA&M entry. OSCAL content can be linked to the entry, and tools can display the associated POA&M item(s) when FedRAMP reviews this table.
This enables a reviewer to see the complete and up-to-date risk picture for the associated risk, while simultaneously reducing data redundancy and eliminating the need to maintain the information in both places.
Dependencies
No response
Acceptance Criteria
Other information
No response
The text was updated successfully, but these errors were encountered: