POAM Item should have a related-finding assembly

[vmangat]

User Story:

As an OSCAL tool developer, it is a challenge to identify a "target" or the implementation-statement-uuid for a specific poam-item without traversing through the observations of the poam-item and then correlating these observations with the related-observations in the findings

Goals:

This can be implemented by including an assembly in poam-items as follows:

related-findings [0 or 1]: [
        An array of related-findings objects [1 to ∞] {
              finding-uuid [1]: uuid
        }
], 

or

by use of a link with rel='related-finding'.

• Develop a proposal for implementing this as an assembly and a link
• Socialize both approaches at an OSCAL model review
• Implement the consensus approach.

Dependencies:

None. This would be a backward compatible change that could be added in v1.0.2

Acceptance Criteria

• A link rel has been added to support this in the poam-item.
• An example has been created to illustrate this.
• All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

[david-waltermire]

I believe this could also be a link:

Something like:

link:
- rel: related-finding
  href: source#finding-uuid

[vmangat]

Stepping back a little bit, lets envision creating a poam-item by including a

{finding which refers to target, and/or observations and/or risks}, OR
{observations and/or risks}

In both cases the related-observations and related-risks will be copied into the "observations" and "risks" assemblies in the POAM document. Likewise the related-findings should be copied into a "findings" assembly in the POAM document.

This continues the theme of keeping the POAM document fairly self sufficient

Using a link to other documents breaks the paradigm of keeping the POAM document fairly self sufficient.

[iMichaela]

This continues the theme of keeping the POAM document fairly self sufficient

Using a link to other documents breaks the paradigm of keeping the POAM document fairly self sufficient.

@vmangat - OSCAL's core traceability concept is based on exactly the opposite approach than the one you try to implement. The information is not re-copied between documents (OSCAL content) because the maintenance/updates of all documents will be a nightmare. Tools can bring the information in front of the user's eyes by extracting it from the OSCAL sources.
Nobody wants to be where we are today and deal with documents that become obsolete before even the system is operational. One piece of information should remain in one place, so when it needs to be updated, the process becomes simple and requires a minimum effort.
@david-waltermire-nist 's guidance is correct. With that said, we are not prescriptive. Anyone can implement it as it suits their needs, but, regrettably, we cannot support requests to change OSCAL if we believe such requests are not aligned with the proper use of OSCAL.

[vmangat]

@iMichaela We are by no means suggesting or supporting re-copying of information, i was making that comment based on the current design of poam-item, it will necessitate this.
The Observations and Risks assembly in the poam-item will require them to be copied in from the SAR. If the intention is not to do so, then they should included in a local-definition wrapper.

We are asking that Observations, Risks and Findings be treated the same and all 3 could be present in the poam-item. Finding is missing from poam-item as defined in v1.0.0

Happy to explain this in more detail if this issues can be scheduled for discussion a dev meeting.

[david-waltermire]

@vmangat We can add a link rel to support this. This will allow the poam-item to point to the finding in the OSCAL assessment results. No copying or duplication needed.

[david-waltermire]

We should also create an example of how to do this.

[GaryGapinski]

plan-of-action-and-milestones (as of v1.0.4 schema) is replete with link elements including within poam-item. An example (of likely inter-document links) would be useful.

[Compton-US]

Submitted PR to address this: #1478

An assembly was added for related-finding.

[vmangat]

Thank you for this change. It helps link poam-item to finding/target and finding/implementation-uuid without the use of additional props that FedRAMP had to introduce.