FedRAMP POAM Quality Check

Validates FedRAMP Plan of Action and Milestones (POAM) files for structural integrity, naming conventions, deduplication, and cross-sheet consistency

Best use case

FedRAMP POAM Quality Check is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Validates FedRAMP Plan of Action and Milestones (POAM) files for structural integrity, naming conventions, deduplication, and cross-sheet consistency

Teams using FedRAMP POAM Quality Check should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/compliance-fedramp-validator/SKILL.md --create-dirs "https://raw.githubusercontent.com/williamzujkowski/cognitive-toolworks/main/skills/compliance-fedramp-validator/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/compliance-fedramp-validator/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How FedRAMP POAM Quality Check Compares

Feature / AgentFedRAMP POAM Quality CheckStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Validates FedRAMP Plan of Action and Milestones (POAM) files for structural integrity, naming conventions, deduplication, and cross-sheet consistency

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

## Purpose & When-To-Use

Use this skill when you need to validate a FedRAMP Plan of Action and Milestones (POAM) file before submission or continuous monitoring updates. The POAM tracks system weaknesses and deficiencies with corrective actions and timelines according to FedRAMP requirements (accessed 2025-10-25T21:04:34-04:00: https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf).

**Trigger conditions:**
- Pre-submission quality gates for FedRAMP POAM deliverables
- Continuous monitoring validation before AO submission
- Post-assessment cleanup to ensure data integrity
- Integration checks for OSCAL-to-TSV conversions
- Duplicate entry detection across Open/Closed sheets

## Pre-Checks

**Required validations before proceeding:**

1. **Input availability:**
   - `poam_tsv` file exists and is readable
   - File size < 10 MB (sanity check)
   - At least one header row present

2. **Time context:**
   - Compute `NOW_ET` using NIST time.gov semantics (America/New_York, ISO-8601)
   - Current timestamp: 2025-10-25T21:04:34-04:00

3. **Schema availability:**
   - If `naming_convention` provided, validate JSON schema structure
   - Required keys: `required_fields`, `date_format`, `severity_levels`
   - Default to FedRAMP standard if not provided

4. **Encoding check:**
   - Verify UTF-8 or ASCII encoding
   - Tab-delimited structure (not comma/pipe/other)

**Abort conditions:**
- File unreadable or corrupted
- No recognizable header row
- Encoding errors preventing parse

## Procedure

### Tier 1: Header & Format Sanity (≤2k tokens)

**Goal:** Fast validation for 80% of common issues

1. **Parse header row:**
   - Extract column names
   - Verify presence of core required fields:
     - `POA&M Item ID`, `Control Identifier`, `Weakness Description`
     - `Risk Level` (or `Severity`), `Scheduled Completion Date`, `Status`

2. **Row-level format checks:**
   - Count total rows (Open + Closed if multi-sheet)
   - Detect missing required fields (empty cells in required columns)
   - Flag malformed dates (must match YYYY-MM-DD or MM/DD/YYYY)
   - Check severity values: must be in {High, Moderate, Low, Informational}

3. **Output (JSON):**
   ```json
   {
     "errors": [
       {"row": 12, "field": "Scheduled Completion Date", "issue": "Invalid date format", "severity": "error"}
     ],
     "warnings": [],
     "stats": {"total_rows": 47, "duplicates": 0, "missing_required": 3}
   }
   ```

4. **Decision rule:**
   - If errors > 10% of rows OR missing_required > 5, stop and report
   - Else proceed to T2

**Token budget: ≤2k**

---

### Tier 2: Naming Convention & Deduplication (≤6k tokens)

**Goal:** Enforce naming standards and detect duplicates

1. **Apply naming convention schema:**
   - Validate `POA&M Item ID` format (e.g., `POAM-YYYY-###` or custom regex)
   - Check `Control Identifier` against NIST 800-53 rev4/rev5 catalog
   - Verify `Status` values: {Open, In Progress, Completed, Risk Accepted}

2. **Deduplication logic:**
   - Compute hash of (`Control Identifier`, `Weakness Description`, `Resource`)
   - Flag exact duplicates across Open/Closed sheets
   - Warn on near-duplicates (80%+ text similarity in Weakness Description)

3. **Timeline validation (FedRAMP requirements):**
   - High severity: remediation ≤ 30 days from discovery (accessed 2025-10-25T21:04:34-04:00: https://www.fedramp.gov/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf)
   - Moderate: ≤ 90 days
   - Low: ≤ 180 days
   - Flag overdue items with current `NOW_ET` comparison

4. **Sources cited:**
   - **FedRAMP POA&M Template Completion Guide** (accessed 2025-10-25T21:04:34-04:00): https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf
   - **FedRAMP Vulnerability Scanning Requirements** (accessed 2025-10-25T21:04:34-04:00): https://www.fedramp.gov/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf
   - **NIST SP 800-37 Rev. 2** (accessed 2025-10-25T21:04:34-04:00): https://csrc.nist.gov/pubs/sp/800/37/r2/final
   - **FedRAMP OSCAL POA&M Documentation** (accessed 2025-10-25T21:04:34-04:00): https://automate.fedramp.gov/documentation/poam/

5. **Enhanced output:**
   - Add `warnings` for near-duplicates and overdue timelines
   - Populate `duplicates` count in stats
   - Generate markdown fix suggestions prioritized by severity

**Token budget: ≤6k**

---

### Tier 3: Cross-Sheet Consistency (≤12k tokens)

**Goal:** Deep validation across Open/Closed sheets and logical integrity

1. **Sheet relationship checks:**
   - Verify no item appears in both Open and Closed sheets
   - Validate Closed items have `Completion Date` and `Status = Completed`
   - Check for reopened items (same ID moved from Closed → Open)

2. **Risk scoring consistency:**
   - If CVSS scores present, validate against declared `Risk Level`
   - Cross-reference `Weakness Description` with known CVE/CWE patterns
   - Flag discrepancies between narrative severity and numeric scores

3. **Milestone progression:**
   - For multi-milestone POAMs, verify dates are sequential
   - Check that `Original Detection Date` ≤ `Scheduled Completion Date`
   - Validate `Resources Required` field is populated for High/Moderate items

4. **Rationale generation:**
   - For each error/warning, provide context and remediation steps
   - Link to relevant sections of FedRAMP/NIST guidance
   - Estimate compliance risk (blocker vs. advisory)

5. **Comprehensive markdown report:**
   ```markdown
   ## Critical Issues (3)
   - Row 12: Invalid completion date (blocks submission)
   - Row 23: Duplicate weakness (merge required)

   ## Warnings (7)
   - Row 8: Timeline exceeds FedRAMP requirement (High: 30 days)

   ## Recommendations
   - Update naming convention to include fiscal year prefix
   - Consider automated CVE enrichment for weakness descriptions
   ```

**Token budget: ≤12k**

## Decision Rules

**Ambiguity thresholds:**
- **Exact duplicate:** 100% match on (Control ID, Weakness, Resource)
- **Near-duplicate:** ≥80% cosine similarity on Weakness Description text
- **Overdue tolerance:** Grace period of 7 calendar days beyond FedRAMP timeline

**Abort/stop conditions:**
- File parse failure → stop at Pre-Checks
- Errors > 10% rows → stop after T1, report findings
- Missing schema keys → use FedRAMP defaults, log warning

**Escalation triggers:**
- Critical errors (missing required fields, invalid dates) → halt progression
- Warnings only → continue to T3 if requested

## Output Contract

**Primary output (`findings.json`):**
```json
{
  "errors": [
    {
      "row": 12,
      "field": "Scheduled Completion Date",
      "issue": "Invalid date format (expected YYYY-MM-DD)",
      "severity": "error"
    }
  ],
  "warnings": [
    {
      "row": 8,
      "field": "Risk Level",
      "issue": "High-severity item overdue by 15 days",
      "severity": "warning"
    }
  ],
  "stats": {
    "total_rows": 47,
    "duplicates": 2,
    "missing_required": 3,
    "overdue_high": 1,
    "overdue_moderate": 4
  }
}
```

**Secondary output (`fix_suggestions.md`):**
- Markdown-formatted remediation guidance
- Grouped by severity: Critical → High → Medium → Low
- Includes row numbers, field names, and specific correction steps
- Links to authoritative sources for each issue type

**Required fields in all outputs:**
- `timestamp`: ISO-8601 Eastern Time (NOW_ET)
- `skill_version`: "1.0.0"
- `input_file`: original filename

## Examples

**Example 1: Basic T1 validation (≤30 lines)**

```python
# Input: poam_tsv = "fedramp_poam_2025.tsv"

findings = {
  "errors": [
    {"row": 5, "field": "POA&M Item ID", "issue": "Missing"},
    {"row": 12, "field": "Date", "issue": "Invalid '13/45/2025'"}
  ],
  "warnings": [
    {"row": 8, "issue": "High overdue 15d"}
  ],
  "stats": {"total_rows": 47, "duplicates": 2}
}

fix_suggestions = """
## Critical (2)
- Row 5: Add POA&M Item ID (POAM-2025-NNN)
- Row 12: Fix date (YYYY-MM-DD)

## Warnings (1)
- Row 8: High past 30-day window
"""

import json
print(json.dumps(findings))
print(fix_suggestions)
# Output: JSON findings + markdown suggestions
```

## Quality Gates

**Token budgets (mandatory):**
- T1: ≤2k tokens (header + format checks)
- T2: ≤6k tokens (naming + deduplication + 2-4 sources)
- T3: ≤12k tokens (cross-sheet + rationale generation)

**Safety checks:**
- No external network calls (file processing only)
- No credential handling or sensitive data exposure
- Read-only operations on input files
- Validate file paths are within expected directories

**Auditability:**
- Log all validation steps with timestamps
- Preserve original input (no in-place modifications)
- Link every error/warning to specific source requirement
- Include skill version in all outputs

**Determinism:**
- Same input → same output (no random sampling)
- Consistent hash functions for duplicate detection
- Fixed threshold values (no dynamic adjustment)
- Reproducible similarity scoring (cosine/Levenshtein)

**Performance targets:**
- T1: < 5 seconds for files ≤1000 rows
- T2: < 15 seconds including duplicate detection
- T3: < 30 seconds for full cross-sheet analysis

## Resources

**Official FedRAMP guidance:**
- FedRAMP POA&M Template Completion Guide: https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf
- FedRAMP OSCAL POA&M Documentation: https://automate.fedramp.gov/documentation/poam/
- FedRAMP Vulnerability Scanning Requirements: https://www.fedramp.gov/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf

**NIST references:**
- NIST SP 800-37 Rev. 2 (Risk Management Framework): https://csrc.nist.gov/pubs/sp/800/37/r2/final
- NIST SP 800-53 Rev. 5 (Security Controls): https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

**OSCAL resources:**
- OSCAL POA&M Model: https://pages.nist.gov/OSCAL/concepts/layer/assessment/poam/
- FedRAMP OSCAL Baselines: https://github.com/GSA/fedramp-automation

**Helper tools (linked in resources/):**
- `naming_convention_schema.json` - Default FedRAMP field validation rules
- `similarity_thresholds.yaml` - Tunable deduplication parameters

Related Skills

Operating System Security Hardening Checker

5
from williamzujkowski/cognitive-toolworks

Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.

Container Security Checker

5
from williamzujkowski/cognitive-toolworks

Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.

UX Wireframe Designer

5
from williamzujkowski/cognitive-toolworks

Design user experience wireframes, user flows, and interactive mockups for web and mobile applications using industry-standard notation

TypeScript Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate TypeScript/JavaScript project scaffolding with npm/pnpm/yarn, Jest/Vitest, ESLint/Prettier, and bundling (Vite/Rollup/esbuild).

Python Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate Python project scaffolding with Poetry/pipenv, pytest configuration, type hints (mypy), linting (ruff/black), and packaging (setuptools/flit).

Java Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate Java project scaffolding with Maven/Gradle, JUnit 5, Mockito, Checkstyle/SpotBugs, and packaging (JAR/WAR/native-image).

C# .NET Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate C# .NET project scaffolding with dotnet CLI, xUnit/NUnit, StyleCop analyzers, and packaging (NuGet/Docker).

Unit Testing Framework Generator

5
from williamzujkowski/cognitive-toolworks

Generate unit test scaffolding and test suites for Jest, PyTest, Go testing, JUnit, RSpec with mocking, assertions, and coverage configuration

Testing Strategy Composer

5
from williamzujkowski/cognitive-toolworks

Compose comprehensive testing strategies spanning unit, integration, e2e, and performance tests with optimal coverage.

Load Testing Scenario Designer

5
from williamzujkowski/cognitive-toolworks

Design load testing scenarios using k6, JMeter, Gatling, or Locust with ramp-up patterns, think time modeling, and performance SLI validation.

Integration Testing Designer

5
from williamzujkowski/cognitive-toolworks

Design integration test scenarios with database fixtures, external service mocks, contract testing, and test environment setup for microservices and APIs.

Chaos Engineering Experiment Designer

5
from williamzujkowski/cognitive-toolworks

Design chaos engineering experiments to test system resilience with controlled failure injection, hypothesis formulation, and blast radius control.