2. POAM Exporting
C-PAT contains the ability to export into the standard eMASS excel format. Listed below are the applicable field mappings for STIG Manager and Tenable (ACAS) type POAMs.
Note
Draft POAMs are not exported.
2.1. Field Mappings
Column |
eMASS Column Title |
C-PAT Mapped Field |
|---|---|---|
C |
Control Vulnerability Description |
Description |
D |
Controls / APs |
Controls / APs (Handeled behind the scenes) |
E |
Office/Org |
Exporting user’s Office/Org, Full Name, Email. |
F |
Security Checks |
Source Identifying Control Vulnerability - ID # |
G |
Resources Required |
Required Resources |
H |
Scheduled Completion Date |
Scheduled Completion Date |
I |
Milestone ID |
“1” (Handeled behind the scenes) |
J |
Milestone with Completion Dates |
Formatted milestone data (See below for milestone formatting details) |
K |
Milestone Changes |
Formatted milestone change data (See below for milestone formatting details) |
L |
Source Identifying Vulnerability |
Special formatting rules (See below for Special formatting rules) |
M |
Status |
Special formatting rules (See below for Special formatting rules) |
N |
Comments |
Special formatting rules (See below for Special formatting rules) |
O |
Raw Severity |
Raw Severity (See below for mapping) |
P |
Devices Affected |
Affected assets list |
Q |
Mitigations (in-house and in conjunction with the Navy CSSP) |
Mitigations |
R |
Predisposing Conditions |
Predisposing Conditions |
S |
Severity |
Raw Severity (See below for mapping) |
T |
Relevance of Threat |
Default value, see below. |
U |
Threat Description |
Default value, see below. |
V |
Likelihood |
Likelihood |
W |
Impact |
Default value, see below. |
X |
Impact Description |
Impact Description |
Y |
Residual Risk Level |
Residual Risk |
Z |
Recommendations |
Default value, see below. |
AA |
Resulting Residual Risk after Proposed Mitigations |
Adjusted Severity (See below for mapping) |
2.2. Default Values
The following default values are always applied:
Column T (Relevance of Threat): "High"
Column U (Threat Description): "ADVERSARIAL - HIGH: Per table D-2 Taxonomy of Threat Sources lists ADVERSARIAL as individual (outsider, insider, trusted insider, privileged insider), therefore the Relevance of Threat defaults to HIGH."
Column W (Impact): "High"
Column Z (Recommendations): "After reviewing documentation, and interviewing system stakeholders, it has been determined that this vulnerability should be mitigated. The ISSO will continue to monitor this vulnerability, and update the POAM as necessary. See mitigations field for detailed mitigation information."
When no CCI is provided, the following defaults are applied:
Column D (Controls / APs): "CM-6.5"
Column N (Comments): "CCI-000366 Control mapping is unavailable for this vulnerability so it is being mapped to CM-6.5 CCI-000366 by default."
Note
The default CCI logic for exports is seperate from the CCI logic used throughout C-PAT. i.e. In STIG Manager, a query is made to /collections/{collectionId}/findings?aggregator=groupId&acceptedOnly=false&benchmarkId={benchmarkId}&projection=assets&projection=ccis and the CCI and AP Acronyms are pulled from the CCI projection. For Tenable, a query is made to plugin/{pluginId}; if the plugin has a Patch Publication Date, the CCI is mapped to SI-2.9 / CCI-002605. If the plugin does not have a Patch Publication Date, the CCI is mapped to CM-6.5 / CCI-000366.
Only in the event that the CCI is not found, the default Controls / APs and Comments are applied.
2.3. Severity Mapping
Input Severity |
Mapped Value |
|---|---|
CAT III - Info |
Very Low |
CAT III - Low |
Low |
CAT II - Medium |
Moderate |
CAT I - High |
High |
CAT I - Critical |
Very High |
2.4. Milestone Formatting
Milestones are formatted in two distinct sections:
2.4.2. Changes (Column K)
Milestone {Milestone #} Changes:
{Milestone Change Comments}
Milestone Status: {Milestone Status}
Milestone Date Change: {Milestone Due Date (MM/dd/yyyy)}
Note
Column I contains “1” if comments exist, otherwise the column remains empty.
2.5. Special Handling
2.5.1. Vulnerability Source (Column L)
STIG: Formatted as {STIG TITLE} :: {Revision} Benchmark Date: {Last Revision Date}
ACAS: Plugin Name
2.5.2. Status Mapping (Column M)
Closed: Mapped to “Completed”
Others: Mapped to “Ongoing”
2.5.3. Comments Mapping (Column N)
By default, comments are mapped to contain the following format:
CCI-{CCI #}
(AS APPLICABLE) "Control mapping is unavailable for this vulnerability so it is being mapped to CM-6.5 CCI-000366 by default."
"Local Site Impact: {Local Site Impact}"
2.4.1. Comments (Column J)
Milestone {Milestone #} {Milestone Comments} Milestone Status: {Milestone Status} Milestone Date: {Milestone Due Date (MM/dd/yyyy)}