Add concept of compensating controls and POA&M statuses to Applicable - Does Not Meet status #448
Comments
|
A POA&M doesn't really apply to STIG development imo but more to the implementation or not of STIG controls. A DNM control is required to have something in the mitigation field regardless if one is available or not even if it is just stating there are no current mitigations which is taken into account during the risk assessment. |
|
Please undo the changes made to the exposing the mitigations field based on the "mitigations available" button. If a control is DNM the mitigations field is required to be filled out and currently it is hidden by default. |
Resolved here: #465 |
Right now, selecting Does Not Meet for a control will expose a field for Mitigations.
First off, we'd like a boolean value for whether or not a mitigation is available at all.
If yes, then the mitigation field is exposed as a free-text field as usual.
If not, we need to know if there is a POA&M in place to deal with it. Expose a boolean field for whether a POA&M is currently in place.
Either way, expose a description of the POA&M status -- the STIG creator can describe either the status of the POA&M (timeline, where it's filed, etc.) or confirm there isn't one at present.
The text was updated successfully, but these errors were encountered: