assessment-assets missing in POAM's local-definitions

[CyberDaedalus00]

Describe the bug

In circumstances where a POAM is provided without a System Security Plan (SSP), for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M, there is no means to specify the definitions of components and assessment-platforms used in the assessment and referenced by an origin's actor as the source of the information. As a result there is no means to resolve/lookup details about the referenced actor.

{A clear and concise description of what the bug is.}

Who is the bug affecting?

What is affected by this bug?

{Describe the impact the bug is having.}

When does this occur?

{Describe the conditions under which the bug is occurring.}

How do we replicate the issue?

{What are the steps to reproduce the behavior?

1. Do this...
2. Then this...
3. See error

If applicable, add screenshots to help explain your problem.}

Expected behavior (i.e. solution)

The local-definition of the POAM should be revised to contain an assessment-assets field that would enable definitions for both components or assessment-platforms used in the assessment to be defined so that references can be resolved.

Other Comments

{Add any other context about the problem here.}

[david-waltermire]

To correct this assessment-assets needs to be added to local-definitions in the POAM model to allow for the assessment tooling to be cross-referenced. This should have the same structure as the local-definitions/assessment-assets allowed in the OSCAL assessment-results model.