Stats
Actions
Tags
From compliance-trestle
Provides knowledge on OSCAL POA&M model in Compliance Trestle for tracking security findings, remediation actions, milestones, risks, and workflows. Useful for compliance and risk management.
How this skill is triggered — by the user, by Claude, or both
Slash command
/compliance-trestle:trestle-poamThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
The POA&M model tracks security findings that need remediation. It documents:
The POA&M model tracks security findings that need remediation. It documents:
{
"plan-of-action-and-milestones": {
"uuid": "...",
"metadata": {
"title": "System POA&M",
"version": "1.0"
},
"import-ssp": { "href": "#..." },
"system-id": { "id": "..." },
"poam-items": [
{
"uuid": "...",
"title": "AC-1 Finding",
"description": "Access control policy not fully documented",
"related-observations": [],
"related-risks": [],
"origins": [],
"remarks": "..."
}
],
"local-definitions": {
"components": [],
"inventory-items": []
},
"observations": [],
"risks": []
}
}
Each POA&M item represents a finding requiring remediation:
| Field | Purpose |
|---|---|
title | Short description of the finding |
description | Detailed description of the weakness |
related-observations | Links to observations from assessment |
related-risks | Links to associated risk entries |
origins | Who/what identified this item |
remarks | Additional notes or context |
Observations provide evidence and context for findings:
{
"uuid": "...",
"title": "AC-1 Observation",
"description": "Policy document was last updated 3 years ago",
"methods": ["EXAMINE", "INTERVIEW"],
"types": ["finding"],
"subjects": [{ "subject-uuid": "...", "type": "component" }],
"collected": "2024-01-15T00:00:00Z"
}
| Method | Description |
|---|---|
EXAMINE | Review of documentation, records, configurations |
INTERVIEW | Discussion with personnel |
TEST | Hands-on testing of systems and controls |
Risk entries document the risk associated with findings:
{
"uuid": "...",
"title": "Outdated Access Control Policy",
"description": "...",
"statement": "Without current policy, access controls may not meet requirements",
"status": "open",
"characterizations": [
{
"origin": {},
"facets": [
{ "name": "likelihood", "value": "moderate", "system": "..." },
{ "name": "impact", "value": "high", "system": "..." }
]
}
],
"mitigating-factors": [],
"remediations": [
{
"uuid": "...",
"lifecycle": "planned",
"title": "Update access control policy",
"description": "...",
"required-assets": [],
"tasks": [
{
"uuid": "...",
"type": "milestone",
"title": "Draft updated policy",
"timing": {
"within-date-range": {
"start": "2024-02-01",
"end": "2024-03-01"
}
}
}
]
}
]
}
| Status | Meaning |
|---|---|
open | Finding is active, not yet remediated |
investigating | Under investigation |
remediating | Actively being remediated |
deviation-requested | Requesting deviation/risk acceptance |
deviation-approved | Deviation approved (risk accepted) |
closed | Finding has been remediated and verified |
| Lifecycle | Meaning |
|---|---|
recommendation | Suggested action |
planned | Approved remediation plan |
completed | Remediation action completed |
plan-of-action-and-milestones/
└── my-system-poam/
└── plan-of-action-and-milestones.json
trestle import -f poam.json -o my-system-poam
trestle validate -t plan-of-action-and-milestones -n my-system-poam
trestle split -t plan-of-action-and-milestones -n my-system-poam -e 'plan-of-action-and-milestones.poam-items'
trestle merge -t plan-of-action-and-milestones -n my-system-poam -e 'poam-items'
Assessment Results → POA&M
↑ ↓
SSP Remediation Tracking
import-sspnot-satisfied finding in Assessment Results should have a corresponding POA&M itemclosed when remediated and verifiedThe POA&M model does not have trestle author generate/assemble commands. Unlike catalogs, profiles, component definitions, and SSPs, POA&M uses a JSON-based workflow:
create → split → edit JSON → merge → validate
Direct JSON editing via the split/merge cycle is the correct approach for POA&M.
npx claudepluginhub ethanolivertroy/compliance-trestle-skills --plugin compliance-trestleGuides privacy audit findings remediation: prioritizes by severity (critical, high, medium, low), assigns owners, tracks deadlines, verifies fixes, applies closure criteria, and escalates overdue items.
Guides OSCAL document selection (SSP, Profile, AR, POA&M), authoring, validation error fixes, schema versioning, and integrations with FedRAMP, eMASS, Compliance Trestle.
Provides senior GRC analyst expertise across 15 frameworks including NIST 800-53, FedRAMP, FISMA, CMMC, SOC 2, ISO 27001. Supports control lookups, cross-mapping, document review, audit prep, compliance workflows.