Dependencies

Purpose

Dependencies are an easy way of explaining why a POAM is necessary and what is needed to address the underlying risk.  Each POAM can have one or more dependencies selected.  These can be reported for a single System or multiple Systems. 

Use Cases

If there are many POAMs open for database related risks, the System Admin or ISSO can specify, through dependencies, that there is no database expertise available to fix the risks.  The CIO can run a report across the whole enterprise to see how prevalent this problem is.  

Another use case may be a vendor who has Systems deployed at various locations across the enterprise.  If the vendor is not responsive and not providing timely updates and patches for vulnerabilities, the POAMs created can list a dependency that the vendor is not responsive.  The CIO will see this when running the report and take appropriate action with regard to the vendor.

Setting the Dependency

The dependency is most easily set through the POAM Task Queue.  In the POAM Task Queue, the user can expand the row.  One of the tabs that displays is the Dependencies tab.  The user can “Edit Dependencies” and select the appropriate dependencies that are keeping this POAM open.

Alternatively, the dependency can be set by navigating to a System > POAM (tab).  Click on a POAM title, then click on an Action title, select the Dependencies tab and click “Edit Dependencies”.

Dependency Report

The report is located under the POAM Reports.  You can navigate to it through the left menu bar at Reports > POAM  Data > Risk by Dependency.  then set your filter and click Apply Filters to see the results.