This week, FedRAMP published QA and a tip that discusses POA&Ms and inventory:
Q: What constitutes a unique finding for Plan of Actions & Milestones (POA&M) reporting and how should CSPs group related findings on the POA&M?
A: The weakness identifier, asset identifier, and original detection date are elements that constitutes a new finding. If vulnerabilities are related, they can be grouped as long as the original detection date is the same. If this date is different, however, the vulnerabilities cannot be grouped because the remediation plan and time would be different. As an example, if a vulnerability was detected in multiple instances of an operating system due to a specific missing patch in the June scans, then they can be grouped together. However, if the same vulnerability was detected in the July scans, then they cannot be grouped together.
TIP: For the annual assessment, it is necessary for 3PAOs and CSPs to ensure that the inventory is accurate and components that can be scanned with authentication are scanned with authentication.
If inventory is not accurate and the necessary components are not scanned with authentication, the Authorizing Officials (AOs) may not gain a complete understanding or picture of the system’s risk posture. CSPs and 3PAOs must ensure that a reasonable amount of time is allotted ahead of time to account for this.
Read more about this week’s FedRAMP’s Tip and cues here.