FedRAMP POAM Quality Check

name: FedRAMP POAM Quality Check
slug: compliance-fedramp-validator
description: Validates FedRAMP Plan of Action and Milestones (POAM) files for structural integrity, naming conventions, deduplication, and cross-sheet consistency
capabilities:
- Header and format validation
- Naming convention compliance checks
- Duplicate entry detection
- Cross-sheet consistency validation
- Remediation timeline verification
inputs:
- name: poam_tsv
type: file
format: TSV (tab-separated values)
description: FedRAMP POAM export or OSCAL-derived tabular format
- name: naming_convention
type: json
description: Schema defining valid field names, formats, and constraint rules
optional: true
outputs:
- name: findings
type: json
schema: "{\"errors\": [{\"row\": int, \"field\": str, \"issue\": str, \"severity\": str}], \"warnings\": [...], \"stats\": {\"total_rows\": int, \"duplicates\": int, \"missing_required\": int}}"
- name: fix_suggestions
type: markdown
description: Human-readable remediation guidance ranked by severity
keywords:
- fedramp
- poam
- quality-check
- validation
- vulnerability-tracking
- compliance
version: 1.0.0
owner: [email protected]
license: CC0-1.0
security:
- No credential handling
- File read-only operations
- No external API calls
- Local processing only
links:
- title: FedRAMP OSCAL POA&M Documentation
url: https://automate.fedramp.gov/documentation/poam/
accessed: 2025-10-25T21:04:34-04:00
- title: FedRAMP POA&M Template Completion Guide
url: https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf
accessed: 2025-10-25T21:04:34-04:00
- title: NIST SP 800-37 Rev. 2 - Risk Management Framework
url: https://csrc.nist.gov/pubs/sp/800/37/r2/final
accessed: 2025-10-25T21:04:34-04:00
- title: FedRAMP Vulnerability Scanning Requirements
url: https://www.fedramp.gov/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf
accessed: 2025-10-25T21:04:34-04:00

Purpose & When-To-Use

Use this skill when you need to validate a FedRAMP Plan of Action and Milestones (POAM) file before submission or continuous monitoring updates. The POAM tracks system weaknesses and deficiencies with corrective actions and timelines according to FedRAMP requirements (accessed 2025-10-25T21:04:34-04:00: https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf).

Trigger conditions:
- Pre-submission quality gates for FedRAMP POAM deliverables
- Continuous monitoring validation before AO submission
- Post-assessment cleanup to ensure data integrity
- Integration checks for OSCAL-to-TSV conversions
- Duplicate entry detection across Open/Closed sheets

Pre-Checks

Required validations before proceeding:

1. Input availability:
2. poam_tsv file exists and is readable
3. File size < 10 MB (sanity check)

4. At least one header row present

5. Time context:

6. Compute NOW_ET using NIST time.gov semantics (America/New_York, ISO-8601)

7. Current timestamp: 2025-10-25T21:04:34-04:00

8. Schema availability:

9. If naming_convention provided, validate JSON schema structure
10. Required keys: required_fields, date_format, severity_levels

11. Default to FedRAMP standard if not provided

12. Encoding check:

13. Verify UTF-8 or ASCII encoding
14. Tab-delimited structure (not comma/pipe/other)

Abort conditions:
- File unreadable or corrupted
- No recognizable header row
- Encoding errors preventing parse

Procedure

Tier 1: Header & Format Sanity (≤2k tokens)

Goal: Fast validation for 80% of common issues

1. Parse header row:
2. Extract column names

3. Verify presence of core required fields:

   • POA&M Item ID, Control Identifier, Weakness Description
   • Risk Level (or Severity), Scheduled Completion Date, Status

4. Row-level format checks:

5. Count total rows (Open + Closed if multi-sheet)
6. Detect missing required fields (empty cells in required columns)
7. Flag malformed dates (must match YYYY-MM-DD or MM/DD/YYYY)

8. Check severity values: must be in {High, Moderate, Low, Informational}

9. Output (JSON):
   json { "errors": [ {"row": 12, "field": "Scheduled Completion Date", "issue": "Invalid date format", "severity": "error"} ], "warnings": [], "stats": {"total_rows": 47, "duplicates": 0, "missing_required": 3} }

10. Decision rule:

11. If errors > 10% of rows OR missing_required > 5, stop and report
12. Else proceed to T2

Token budget: ≤2k

Tier 2: Naming Convention & Deduplication (≤6k tokens)

Goal: Enforce naming standards and detect duplicates

1. Apply naming convention schema:
2. Validate POA&M Item ID format (e.g., POAM-YYYY-### or custom regex)
3. Check Control Identifier against NIST 800-53 rev4/rev5 catalog

4. Verify Status values: {Open, In Progress, Completed, Risk Accepted}

5. Deduplication logic:

6. Compute hash of (Control Identifier, Weakness Description, Resource)
7. Flag exact duplicates across Open/Closed sheets

8. Warn on near-duplicates (80%+ text similarity in Weakness Description)

9. Timeline validation (FedRAMP requirements):

10. High severity: remediation ≤ 30 days from discovery (accessed 2025-10-25T21:04:34-04:00: https://www.fedramp.gov/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf)
11. Moderate: ≤ 90 days
12. Low: ≤ 180 days

13. Flag overdue items with current NOW_ET comparison

14. Sources cited:

15. FedRAMP POA&M Template Completion Guide (accessed 2025-10-25T21:04:34-04:00): https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf
16. FedRAMP Vulnerability Scanning Requirements (accessed 2025-10-25T21:04:34-04:00): https://www.fedramp.gov/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf
17. NIST SP 800-37 Rev. 2 (accessed 2025-10-25T21:04:34-04:00): https://csrc.nist.gov/pubs/sp/800/37/r2/final

18. FedRAMP OSCAL POA&M Documentation (accessed 2025-10-25T21:04:34-04:00): https://automate.fedramp.gov/documentation/poam/

19. Enhanced output:

20. Add warnings for near-duplicates and overdue timelines
21. Populate duplicates count in stats
22. Generate markdown fix suggestions prioritized by severity

Token budget: ≤6k

Tier 3: Cross-Sheet Consistency (≤12k tokens)

Goal: Deep validation across Open/Closed sheets and logical integrity

1. Sheet relationship checks:
2. Verify no item appears in both Open and Closed sheets
3. Validate Closed items have Completion Date and Status = Completed

4. Check for reopened items (same ID moved from Closed → Open)

5. Risk scoring consistency:

6. If CVSS scores present, validate against declared Risk Level
7. Cross-reference Weakness Description with known CVE/CWE patterns

8. Flag discrepancies between narrative severity and numeric scores

9. Milestone progression:

10. For multi-milestone POAMs, verify dates are sequential
11. Check that Original Detection Date ≤ Scheduled Completion Date

12. Validate Resources Required field is populated for High/Moderate items

13. Rationale generation:

14. For each error/warning, provide context and remediation steps
15. Link to relevant sections of FedRAMP/NIST guidance

16. Estimate compliance risk (blocker vs. advisory)

17. Comprehensive markdown report:
    ```markdown
    ## Critical Issues (3)

18. Row 12: Invalid completion date (blocks submission)
19. Row 23: Duplicate weakness (merge required)

## Warnings (7)
- Row 8: Timeline exceeds FedRAMP requirement (High: 30 days)

## Recommendations
- Update naming convention to include fiscal year prefix
- Consider automated CVE enrichment for weakness descriptions
```

Token budget: ≤12k

Decision Rules

Ambiguity thresholds:
- Exact duplicate: 100% match on (Control ID, Weakness, Resource)
- Near-duplicate: ≥80% cosine similarity on Weakness Description text
- Overdue tolerance: Grace period of 7 calendar days beyond FedRAMP timeline

Abort/stop conditions:
- File parse failure → stop at Pre-Checks
- Errors > 10% rows → stop after T1, report findings
- Missing schema keys → use FedRAMP defaults, log warning

Escalation triggers:
- Critical errors (missing required fields, invalid dates) → halt progression
- Warnings only → continue to T3 if requested

Output Contract

Primary output (findings.json):

{
  "errors": [
    {
      "row": 12,
      "field": "Scheduled Completion Date",
      "issue": "Invalid date format (expected YYYY-MM-DD)",
      "severity": "error"
    }
  ],
  "warnings": [
    {
      "row": 8,
      "field": "Risk Level",
      "issue": "High-severity item overdue by 15 days",
      "severity": "warning"
    }
  ],
  "stats": {
    "total_rows": 47,
    "duplicates": 2,
    "missing_required": 3,
    "overdue_high": 1,
    "overdue_moderate": 4
  }
}

Secondary output (fix_suggestions.md):
- Markdown-formatted remediation guidance
- Grouped by severity: Critical → High → Medium → Low
- Includes row numbers, field names, and specific correction steps
- Links to authoritative sources for each issue type

Required fields in all outputs:
- timestamp: ISO-8601 Eastern Time (NOW_ET)
- skill_version: "1.0.0"
- input_file: original filename

Examples

Example 1: Basic T1 validation (≤30 lines)

# Input: poam_tsv = "fedramp_poam_2025.tsv"

findings = {
  "errors": [
    {"row": 5, "field": "POA&M Item ID", "issue": "Missing"},
    {"row": 12, "field": "Date", "issue": "Invalid '13/45/2025'"}
  ],
  "warnings": [
    {"row": 8, "issue": "High overdue 15d"}
  ],
  "stats": {"total_rows": 47, "duplicates": 2}
}

fix_suggestions = """
## Critical (2)
- Row 5: Add POA&M Item ID (POAM-2025-NNN)
- Row 12: Fix date (YYYY-MM-DD)

## Warnings (1)
- Row 8: High past 30-day window
"""

import json
print(json.dumps(findings))
print(fix_suggestions)
# Output: JSON findings + markdown suggestions

Quality Gates

Token budgets (mandatory):
- T1: ≤2k tokens (header + format checks)
- T2: ≤6k tokens (naming + deduplication + 2-4 sources)
- T3: ≤12k tokens (cross-sheet + rationale generation)

Safety checks:
- No external network calls (file processing only)
- No credential handling or sensitive data exposure
- Read-only operations on input files
- Validate file paths are within expected directories

Auditability:
- Log all validation steps with timestamps
- Preserve original input (no in-place modifications)
- Link every error/warning to specific source requirement
- Include skill version in all outputs

Determinism:
- Same input → same output (no random sampling)
- Consistent hash functions for duplicate detection
- Fixed threshold values (no dynamic adjustment)
- Reproducible similarity scoring (cosine/Levenshtein)

Performance targets:
- T1: < 5 seconds for files ≤1000 rows
- T2: < 15 seconds including duplicate detection
- T3: < 30 seconds for full cross-sheet analysis

Resources

Official FedRAMP guidance:
- FedRAMP POA&M Template Completion Guide: https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf
- FedRAMP OSCAL POA&M Documentation: https://automate.fedramp.gov/documentation/poam/
- FedRAMP Vulnerability Scanning Requirements: https://www.fedramp.gov/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf

NIST references:
- NIST SP 800-37 Rev. 2 (Risk Management Framework): https://csrc.nist.gov/pubs/sp/800/37/r2/final
- NIST SP 800-53 Rev. 5 (Security Controls): https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

OSCAL resources:
- OSCAL POA&M Model: https://pages.nist.gov/OSCAL/concepts/layer/assessment/poam/
- FedRAMP OSCAL Baselines: https://github.com/GSA/fedramp-automation

Helper tools (linked in resources/):
- naming_convention_schema.json - Default FedRAMP field validation rules
- similarity_thresholds.yaml - Tunable deduplication parameters