VULCAN-448: Add concept of compensating controls and POA&M statuses to Applicable - Does Not Meet status

app/controllers/rules_controller.rb

@@ -136,9 +136,9 @@ def rule_update_params
       rule_descriptions_attributes: %i[id description _destroy],
       additional_answers_attributes: %i[id additional_question_id answer],
       disa_rule_descriptions_attributes: %i[
-        id vuln_discussion false_positives false_negatives documentable mitigations
-        severity_override_guidance potential_impacts third_party_tools mitigation_control
-        responsibility ia_controls _destroy
+        id vuln_discussion false_positives false_negatives documentable mitigations_available
+        mitigations poam_available poam severity_override_guidance potential_impacts
+        third_party_tools mitigation_control responsibility ia_controls _destroy
       ]
     )
   end

app/javascript/components/rules/forms/AdvancedRuleForm.vue

@@ -261,7 +261,10 @@ export default {
             "vuln_discussion",
             "false_positives",
             "false_negatives",
+            "mitigations_available",
             "mitigations",
+            "poam_available",
+            "poam",
             "severity_override_guidance",
             "potential_impacts",
             "third_party_tools",

app/javascript/components/rules/forms/BasicRuleForm.vue

@@ -117,7 +117,10 @@ export default {
       if (this.rule.status == "Applicable - Configurable") {
         return { displayed: ["vuln_discussion"], disabled: [] };
       } else if (this.rule.status == "Applicable - Does Not Meet") {
-        return { displayed: ["mitigations"], disabled: [] };
+        return {
+          displayed: ["mitigations_available", "mitigations", "poam_available", "poam"],
+          disabled: [],
+        };
       } else if (this.rule.status == "Not Yet Determined") {
         return { displayed: ["vuln_discussion"], disabled: ["vuln_discussion"] };
       } else {

app/javascript/components/rules/forms/DisaRuleDescriptionForm.vue

@@ -149,9 +149,31 @@
       </b-form-invalid-feedback>
     </b-form-group>
 
+    <!-- mitigations available -->
+    <b-form-group
+      v-if="fields.displayed.includes('mitigations_available')"
+      :id="`ruleEditor-disa_rule_description-mitigations-available-group-${mod}`"
+    >
+      <b-form-checkbox
+        :id="`ruleEditor-disa_rule_description-mitigations-available-${mod}`"
+        :checked="description.mitigations_available"
+        switch
+        @input="
+          $root.$emit(
+            'update:disaDescription',
+            rule,
+            { ...description, mitigations_available: $event },
+            index
+          )
+        "
+      >
+        Mitigations Available
+      </b-form-checkbox>
+    </b-form-group>
+
     <!-- mitigations -->
     <b-form-group
-      v-if="fields.displayed.includes('mitigations')"
+      v-if="fields.displayed.includes('mitigations') && description.mitigations_available"
       :id="`ruleEditor-disa_rule_description-mitigations-group-${mod}`"
     >
       <label :for="`ruleEditor-disa_rule_description-mitigations-${mod}`">
@@ -189,6 +211,63 @@
       </b-form-invalid-feedback>
     </b-form-group>
 
+    <!-- poam available -->
+    <b-form-group
+      v-if="fields.displayed.includes('poam_available') && !description.mitigations_available"
+      :id="`ruleEditor-disa_rule_description-poam-available-group-${mod}`"
+    >
+      <b-form-checkbox
+        :id="`ruleEditor-disa_rule_description-poam-available-${mod}`"
+        :checked="description.poam_available"
+        switch
+        @input="
+          $root.$emit(
+            'update:disaDescription',
+            rule,
+            { ...description, poam_available: $event },
+            index
+          )
+        "
+      >
+        POA&amp;M Available
+      </b-form-checkbox>
+    </b-form-group>
+
+    <!-- poam -->
+    <b-form-group
+      v-if="fields.displayed.includes('poam') && description.poam_available"
+      :id="`ruleEditor-disa_rule_description-poam-group-${mod}`"
+    >
+      <label :for="`ruleEditor-disa_rule_description-poam-${mod}`">
+        POA&amp;M
+        <i
+          v-if="tooltips['poam']"
+          v-b-tooltip.hover.html
+          class="mdi mdi-information"
+          aria-hidden="true"
+          :title="tooltips['poam']"
+        />
+      </label>
+      <b-form-textarea
+        :id="`ruleEditor-disa_rule_description-poam-${mod}`"
+        :value="description.poam"
+        :class="inputClass('poam')"
+        placeholder=""
+        :disabled="disabled || fields.disabled.includes('poam')"
+        rows="1"
+        max-rows="99"
+        @input="
+          $root.$emit('update:disaDescription', rule, { ...description, poam: $event }, index)
+        "
+      />
+      <b-form-valid-feedback v-if="hasValidFeedback('poam')">
+        {{ validFeedback["poam"] }}
+      </b-form-valid-feedback>
+      <b-form-invalid-feedback v-if="hasInvalidFeedback('poam')">
+        {{ invalidFeedback["poam"] }}
+      </b-form-invalid-feedback>
+    </b-form-group>
+
     <!-- severity_override_guidance -->
     <b-form-group
       v-if="fields.displayed.includes('severity_override_guidance')"
@@ -462,7 +541,10 @@ export default {
             "vuln_discussion",
             "false_positives",
             "false_negatives",
+            "mitigations_available",
             "mitigations",
+            "poam_available",
+            "poam",
             "severity_override_guidance",
             "potential_impacts",
             "third_party_tools",
@@ -495,6 +577,10 @@ export default {
         ].includes(this.rule.status)
           ? null
           : "Discuss how the system mitigates this vulnerability in the absence of a configuration that would eliminate it",
+        poam:
+          this.rule.status === "Applicable - Does Not Meet"
+            ? "Discuss the action of the POA&M in place for this vulnerability, including the start date and end date of the action"
+            : null,
         severity_override_guidance: null,
         potential_impacts:
           "List the potential operational impacts on a system when applying fix discussed in this control",

db/migrate/20220815180252_add_poam_to_disa_rule_descriptions.rb

@@ -0,0 +1,7 @@
+class AddPoamToDisaRuleDescriptions < ActiveRecord::Migration[6.1]
+  def change
+    add_column :disa_rule_descriptions, :mitigations_available, :boolean
+    add_column :disa_rule_descriptions, :poam_available, :boolean
+    add_column :disa_rule_descriptions, :poam, :text
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2022_05_18_053923) do
+ActiveRecord::Schema.define(version: 2022_08_15_180252) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -154,6 +154,9 @@
     t.text "ia_controls"
     t.datetime "created_at", precision: 6, null: false
     t.datetime "updated_at", precision: 6, null: false
+    t.boolean "mitigations_available"
+    t.boolean "poam_available"
+    t.text "poam"
     t.index ["base_rule_id"], name: "index_disa_rule_descriptions_on_base_rule_id"
   end