Using System Package Mitigation Statements

When using the POAM in OpenRMF^® Professional there may be certain mitigation statements you use over and over again for open POAM items. To help with this, you can add and manage mitigation statements to attach and use over and over for your POAM entries.

There are application-wide mitigation statements that an Administrator can add and everyone can pull into their system package and use. Or you can create your own at your system package level as well. Once they are in your system package you can add them to any POAM record for use in the web interface as well as in the MS Excel (XLSX) POAM exported.

Adding an Available Mitigation Statement

To add an available mitigation statement click the Add Mitigation button if you are a System Owner of the system package you are viewing. A table appears showing a listing of available mitigation statements already made and shared for people using this installation of OpenRMF^® Professional. Find the one you wish to use and click the Add button.

The mitigation statement is now copied into your system package. Now that it is in your system package you can edit it and make it inactive if not in use.

Creating an Mitigation Statement

To create your own mitigation statement from scratch click the Create Mitigation button. This will create a mitigation statement for you to use in your system package. Add a category, title and the statement to save your mitigation statement. When active it will be available for you to add to any POAM record you choose if you are a System Owner.

Uploading Mitigation Statements

You also can upload a list of mitigation statements with the category, title, statement, and active status (TRUE / FALSE) to add or bulk edit mitigation statements for your system package. If you are a System Owner for the package, you can click the Upload Mitigation Statements button and select a proper CSV, XLSX, or JSON file.

There is sample data linked and listed below. This allows quick loading of mitigation statements to use at your system package level.

There is a similar feature at the Administration level for loading mitigation statements. This allows every single system package to add general mitigation statements into their particular system package.

Download a Sample XLSX as a starting point for uploading a spreadsheet or CSV file.

The JSON for the file upload or a JSON post with data in the body for the external API is shown below.

[
    {
        "mitigationCategory": "Infrastructure",
        "mitigationTitle": "Inherited from Platform",
        "mitigationStatement": "This is inherited from the platform we are using",
        "active": true
    },
    {
        "mitigationCategory": "Infrastructure",
        "mitigationTitle": "Inherited from Infrastructure Package",
        "mitigationStatement": "This is inherited from the infrastructure we are running on and its separate ATO",
        "active": true
    },
    {
        "mitigationCategory": "Firewall",
        "mitigationTitle": "Exception for Open Port",
        "mitigationStatement": "We have a documented exception for this port being open",
        "active": true
    }
]

Using Mitigation Statements in your POAM

To use one of the canned mitigation statements as a System Owner or POAM Editor you can click the ... menu on the POAM record you wish to add it to and click the Add Canned Mitigation Statement menu. You are presented with the list of available statements. Click the Add button next to the statements you wish to use in the order you want them to appear. Then click Close.

When you now view the details of that POAM record you will see the canned mitigation statement in the listing. If you have edit rights you can click the red “X” next to it to remove it. Now on viewing and exporting to MS Excel this mitigation statement will be shown.