| 8
3. GENERAL REQUIREMENTS
The CSP must include the following in the Open POA&M Items worksheet:
§ All security vulnerabilities identified through vulnerability scanning tools, where the CSP is late
remediating the vulnerability
;
§ All known security vulnerabilities and deficiencies identified through means other than
vulnerability scanning tools (e.g., interviews and penetration testing); and
§ All security vulnerabilities for which the CSP is submitting a Deviation Request.
A security vulnerability remediation is late if it is not remediated within the time requirements detailed
in the FedRAMP Continuous Monitoring Strategy & Guide, and summarized in the bullets below.
The CSP must comply with the following:
§ Use the FedRAMP POA&M Template to track and manage POA&M items.
§ If a finding is identified in the SAR, or as a result of continuous monitoring activities, it must be
included as an item on the POA&M.
§ All POA&M entries must map back to a finding in the SAR and/or continuous monitoring
activities.
§ False positives identified in the SAR (Appendices C, D, and E), along with supporting evidence
(e.g., clean scan report) do not have to be included in the POA&M.
§ Each finding in the POA&M must have a unique identifier. This unique identifier must pair with
a respective SAR finding and continuous monitoring activities.
§ All high and critical risk findings must be remediated prior to receiving a JAB P-ATO.
§ High and critical risk findings identified through continuous monitoring activities must be
remediated within 30 days after identification.
§ Moderate findings must be remediated within 90 days following the P-ATO date, or 90 days
following identification.
§ Low findings must be remediated within 180 days following the P-ATO date, or 180 days
following identification.
Note: The POA&M Spreadsheet has problems with data validation in the Mac version of Microsoft
Office. Disabling macros typically resolves this issue.
Previously, FedRAMP required the CSP to enter all scanner-identified findings into the POA&M. Now only late scanner-
identified findings are required. This only applies to findings identified by a scanning tool. All other findings must still be entered
into the POA&M, whether they are late or not. This includes deficiencies identified through assessment interviews and
penetration testing activities. CSP's must provide raw scan data to their AO in order to satisfy this requirement. Additionally,
CSP's must comply with any SLA's or AO preference in meeting this requirement (e.g. potentially including all open risks in the
POA&M). It is the JAB's requirement to have CSP's comply with this by providing raw scan data.